IETF Logo Mail Archive

Re: [kitten] Question about AES mode in Kerberos

Luke Howard Bentata <lukeh@padl.com> Sun, 08 January 2023 00:24 UTC

Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E477EC14EB18; Sat, 7 Jan 2023 16:24:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j35AdjUWS7MV; Sat, 7 Jan 2023 16:24:03 -0800 (PST)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57D4FC14EB17; Sat, 7 Jan 2023 16:24:02 -0800 (PST)
Received: from auth (localhost [127.0.0.1]) by us.padl.com (8.14.7/8.14.7) with ESMTP id 3080Nu7t026934 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 8 Jan 2023 00:23:59 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 3080Nu7t026934
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1673137441; bh=k+s5cRUcvSO3TG2d8jAr9ImHuA7oKt/MA+Vw8ov1IOA=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=zLSQmWTOkwFLGaVBPfds1Jba3YEIq6vcwTcodah6mY5I18S9zPwRgeenuCESFku3R PfhzmzhyYv/hRIUu9m/UGnnuUoaIgc4jz++hBw8T7l69OWduDW1RmMuN4t3aslOGxi MuK82TwnDvxuiBm4HSiOjZzRXJ94llNnZEJ5T1Vw0sRY6MHCy8oHjfXcEj1EC+Cv2M PT7765ks7zNfWkgrnQuJAIZChh0D59IBCBKjINLIOnd8n/46CdwyLoh78w2vc5YTW4 jwk2K3el+bTgY3ULT3TMpy1XO80RMz+Q1dFcTPhJmaIpLP6B+0esR73eRAmSmX0Saj WtVIFxa8QFiJw==
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
From: Luke Howard Bentata <lukeh@padl.com>
In-Reply-To: <cb3ff38f-7e62-0711-9a6c-50a96b571e2d@mit.edu>
Date: Sun, 08 Jan 2023 11:23:44 +1100
Cc: Olga Kornievskaia <aglo@umich.edu>, Luke Howard Bentata <lukeh=40padl.com@dmarc.ietf.org>, "kitten@ietf.org" <kitten@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <04C2F638-A514-4FED-9554-9357A4620137@padl.com>
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <7B46A5A4-4415-4627-B964-44F2516D84FE@padl.com> <9464B1FF-6784-4D59-A4F6-1B5D58C2B94F@padl.com> <CAN-5tyE4eau116TkDLbvn+pTOjK_C+WEvi9SnUELr+4riTpZcw@mail.gmail.com> <cb3ff38f-7e62-0711-9a6c-50a96b571e2d@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/R8iy72Nw6d9EXTrv-jGFEQQhNVs>
Subject: Re: [kitten] Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jan 2023 00:24:08 -0000

> * The motivation appears to be performance, but meaningful performance gains have not been demonstrated in the context of a GSS application.

Agreed. Another motivation could be diversity (using GMAC instead of HMAC-SHA).

> * GCM is a fragile encryption mode; any mistakes in the nonce input would lead to a catastrophic security vulnerability.

True.

> * This work creates an enctype unsuitable for general use, but which would require an entry in the IANA enctypes registry to be negotiable with RFC 4537.  Putting algorithms with very different security properties registered in the same registry has proven to lead to security issues (such as CVE-2010-1324).

True. I suppose this could be avoided by using a distinct negotiation mechanism (e.g. another AD type in the AP-REQ).

> * The enctype can't fit within the RFC 3961 framework (I believe) because it requires nonce information from an upper layer.

True, although this is addressed by draft-howard-krb-aead-00.

> * Microsoft's reason for interest ("something [...] for post-sha256") doesn't seem to match up with a GSS-only enctype.

Not speaking for MS of course, however Windows doesn’t expose RFC3961 APIs, only RFC4121 (via SSPI with the Kerberos and PKU2U SSPs).

> A general-purpose enctype using AES-GCM-SIV (RFC 8452) and random nonces would be a better fit for Kerberos, but I don't see a good reason to specify it unless compelling performance gains can be demonstrated.

Noted.

— Luke

PS. NegoEx does RFC3961 checksums, but that’s not directly relevant here as Kerberos is never negotiated by NegoEx. It should also be safe to use draft-howard-gssapi-aead with a fixed zero nonce for NegoEx checksums, because AFAICT checksum keys are not reused (they are per-mechanism and per-direction). Having said that, the fact this is not straightforward to reason about is an argument in favour of your second and third points.

v2.23.0 | Report a Bug | By Email