Re: [kitten] SPAKE Preauth
Nathaniel McCallum <npmccallum@redhat.com> Thu, 30 April 2015 16:53 UTC
Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4C31B2E23 for <kitten@ietfa.amsl.com>; Thu, 30 Apr 2015 09:53:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.911
X-Spam-Level:
X-Spam-Status: No, score=-5.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xKEvwY_p6eu2 for <kitten@ietfa.amsl.com>; Thu, 30 Apr 2015 09:52:58 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A500A1B2E0A for <kitten@ietf.org>; Thu, 30 Apr 2015 09:52:58 -0700 (PDT)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t3UGqtCA026949 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 30 Apr 2015 12:52:55 -0400
Received: from vpn-58-66.rdu2.redhat.com (vpn-58-66.rdu2.redhat.com [10.10.58.66]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t3UGqrai008772 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 30 Apr 2015 12:52:54 -0400
Message-ID: <1430412773.5004.26.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Nico Williams <nico@cryptonector.com>
Date: Thu, 30 Apr 2015 12:52:53 -0400
In-Reply-To: <20150430163818.GB6026@localhost>
References: <1430138754.2682.10.camel@redhat.com> <20150429161716.GH6026@localhost> <1430401789.5004.21.camel@redhat.com> <20150430163818.GB6026@localhost>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/QwDHELZC3rRMkZAed9uvZIwjTcw>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] SPAKE Preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2015 16:53:00 -0000
On Thu, 2015-04-30 at 11:38 -0500, Nico Williams wrote: > On Thu, Apr 30, 2015 at 09:49:49AM -0400, Nathaniel McCallum wrote: > > On Wed, 2015-04-29 at 11:17 -0500, Nico Williams wrote: > > > > As I stated in the draft: "where a timestamp is used, time > > synchronization between the client and KDC becomes a point of > > fragility." I think your paragraph here proves this point. Where > > synchronization is off, extra messages are sent. I think this > > qualifies as fragility. > > Extra round trips != fragility. Fragility -> sometimes clients fail. > > In this case the extra round trips are merely sub-optimal behavior > that > users mostly don't notice, and which is greatly amortized anyways. > > Clients can sometimes fail, but only if they don't implement clock > skew > correction based on the timestamps in KRB-ERROR PDUs. Implementation > issues don't really count for this argument unless implementation is > particularly difficult, which it's not. > > > > IMO the time sync aspects of this are a bit overdone :) > > > > Maybe. I'll see if I can come up with wording you like better. I > > still > > think it is worth mentioning however. > > But it's not really a motivating factor for this work, is it? It's > just > icing on the cake. Agreed. I'll de-emphasize it in the next edition. > > > - Section 1.1 is a bit weak. I don't think it's even necessary > > > to > > > explain PAKE in terms of DH key agreement either. > > > > > > The properties of a PAKE are: > > > > > > - provides authenticated key agreement with both parties > > > contributing entropy to the shared secret; > > > > > > (And each exchange yields a different shared secret.) > > > > > > - is resistant to off-line dictionary attacks by > > > eavesdroppers, > > > even > > > for small, simple passwordsj > > > > > > - "servers" store password equivalents; > > > > > > (In an augmented PAKE the server stores a verifier, but > > > you're > > > not > > > proposing the use of an augmented PAKE.) > > > > > > - users "store" passwords. > > > > The intent of this section is to explain PAKE to those unfamiliar > > with > > it. If such is not needed in this document, I can remove it. > > To me it reads like an explanation by the author to a younger > version of > the author :) Especially given the focus on DH. One can construct > key > agreement protocols with PFS using RSA instead of DH, so the focus > on DH > strikes me as accidental rather than fundamental. (Heck, I think I > can > construct EKE-like ZKPPs out of RSA as well.) > > I'd rather that the properties of a PAKE be listed and references to > DH > be left out in this section. Fair enough. My concern was to provide a good introduction to PAKE for those unfamiliar with it. But if we aren't worried about such, then we can just list the properties and move on. > > > - Section 1.2, the claim about why FAST is difficult to deploy > > > requires > > > more evidence, and I believe it's wrong. The problem with > > > FAST is > > > that it's difficult to make it a requirement for PA-ENC > > > -TIMESTAMP > > > because FAST is not universally available yet -- the tragedy > > > of > > > legacy forever. Sure, one has to deploy trust anchors, but > > > then > > > again, one doesn't have to (leap of faith), and one can (for > > > machines > > > that have "joined" a realm or hierarchy of realms). > > > > Well, that is not Red Hat's experience. We have FAST everywhere, > > but > > we have people who don't want us to configure their client. This is > > most especially true in open communities like Fedora where we are > > working with volunteers. > > > > In these cases we have two options: > > [...] > > In contrast, PAKE allows a completely configless usage with no > > third > > -party trust and no leap of faith. > > OK, this is what I was looking for, thanks. Glad we're on the same page now. I look forward to your comments/patches. :) Nathaniel
- [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Simo Sorce
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Simo Sorce
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- [kitten] Bootstrapping PKINIT server certs with R… Nico Williams