IETF Logo Mail Archive

Re: [kitten] SPAKE and weak checksum types

Henry B Hotz <hbhotz@oxy.edu> Mon, 11 September 2017 19:35 UTC

Return-Path: <hbhotz@oxy.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 283911331EB for <kitten@ietfa.amsl.com>; Mon, 11 Sep 2017 12:35:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.534
X-Spam-Level:
X-Spam-Status: No, score=-3.534 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B0ET0YzQ1PUr for <kitten@ietfa.amsl.com>; Mon, 11 Sep 2017 12:35:28 -0700 (PDT)
Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 062FC1331F7 for <kitten@ietf.org>; Mon, 11 Sep 2017 12:35:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 076E62AB7A; Mon, 11 Sep 2017 19:35:18 +0000 (UTC)
Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo02-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rGQNANl2b4UH; Mon, 11 Sep 2017 19:35:17 +0000 (UTC)
Received: from [100.73.146.149] (74.sub-70-197-78.myvzw.com [70.197.78.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id D724B2A815; Mon, 11 Sep 2017 19:35:14 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Henry B Hotz <hbhotz@oxy.edu>
X-Mailer: iPhone Mail (14G60)
In-Reply-To: <x7defrdz0le.fsf@equal-rites.mit.edu>
Date: Mon, 11 Sep 2017 12:35:12 -0700
Cc: kitten@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A374D6EA-9C58-4A8B-A68F-1CF9DE20669C@oxy.edu>
References: <x7defrdz0le.fsf@equal-rites.mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/QfSfy4u1UVNFSiShvhFsUDX_VY8>
Subject: Re: [kitten] SPAKE and weak checksum types
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Sep 2017 19:35:30 -0000

IIUC you are concerned with the case that someone will stand up a kdc which will opportunistically use SPAKE, but supports older/weaker stuff. By its nature such a beast will be vulnerable to downgrade attacks and you can't solve that in SPAKE. 

That said, I'm OK with your proposed change.  It does point the finger in the right direction. 

Personal email. hbhotz@oxy.edu

> On Sep 11, 2017, at 9:01 AM, Greg Hudson <ghudson@mit.edu> wrote:
> 
> Currently the SPAKE draft says, in security considerations:
> 
>    Weak checksums present a risk to the transcript checksum. Any etype
>    with a checksum based on one of the following algorithms MUST NOT be
>    used:
> 
>    * CRC32
>    * MD4
>    * MD5
> 
> I have several problems with this clause.  The implementer doesn't get
> to choose the transcript checksum type; it is specified as the required
> checksum type of the initial reply key.  To conform to this clause, and
> implementer must decline to offer SPAKE preauth if the initial reply key
> uses RC4 or DES.  While those enctypes are problematic, I don't think
> it's ideal for the KDC to throw up its hands and use encrypted timestamp
> just because the SPAKE transcript checksum would be using MD5 (which is
> still preimage-resistant as far as we know).
> 
> Also, this clause focuses on the transcript checksum, which seems like a
> difficult attack vector as it is merely one component of key derivation,
> while ignoring other possible weaknesses of the reply key encryption
> type, such as the integrity tag on the key confirmation or the
> confidentiality of second-factor data.
> 
> I propose to replace this clause with the following wording:
> 
>    This mechanism does not upgrade the encryption type of the initial
>    reply key, and relies on that encryption type for confidentiality,
>    integrity, and pseudo-random functions. If the client long-term key
>    uses a weak encryption type, an attacker might be able to subvert
>    the exchange, and the replaced reply key will also be of the same
>    weak encryption type.
> 
> (During the design of the SPAKE preauth mechanism, I did consider the
> possibility of upgrading the reply key encryption type, so that the
> client long-term key is only used as a source of octets for the shared
> secret input to the SPAKE algorithm.  Although that would be a neat
> benefit for deployments with a lot of legacy DES or RC4 client keys, it
> would significantly complicate the spec.  It would also introduce a risk
> of a downgrade attack on the initial reply key enctype, e.g. if the KDC
> could be fooled into thinking that DES is a better choice than AES by
> altering the request enctype list.)
> 
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email