Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums

Benjamin Kaduk <kaduk@mit.edu> Thu, 28 September 2017 02:21 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BCC1135269 for <kitten@ietfa.amsl.com>; Wed, 27 Sep 2017 19:21:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y_V3QDY6C9LS for <kitten@ietfa.amsl.com>; Wed, 27 Sep 2017 19:21:35 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26EBB135267 for <kitten@ietf.org>; Wed, 27 Sep 2017 19:21:34 -0700 (PDT)
X-AuditID: 1209190e-1d3ff7000000497a-5a-59cc5cad7a1d
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 6C.7F.18810.DAC5CC95; Wed, 27 Sep 2017 22:21:33 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id v8S2LWKZ006171; Wed, 27 Sep 2017 22:21:32 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v8S2LSX3010007 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 27 Sep 2017 22:21:30 -0400
Date: Wed, 27 Sep 2017 21:21:28 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
Cc: Simo Sorce <simo@redhat.com>, kitten@ietf.org
Message-ID: <20170928022127.GF96685@kduck.kaduk.org>
References: <x7d1sn5zyl8.fsf@equal-rites.mit.edu> <20170919015937.GN96685@kduck.kaduk.org> <1505920169.1143.15.camel@redhat.com> <20170923190527.GU96685@kduck.kaduk.org> <1506358991.3211.1.camel@redhat.com> <20170926022550.GZ96685@kduck.kaduk.org> <B9ED4047-4BAF-4F58-A4CF-5CE420371BB7@oxy.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <B9ED4047-4BAF-4F58-A4CF-5CE420371BB7@oxy.edu>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileLIzCtJLcpLzFFi42IRYrdT110bcybSYM88TouP9xayWBzdvIrF 4sfcRawOzB5Llvxk8tja9JfZ4/2+q2wBzFFcNimpOZllqUX6dglcGefam5gKznFVzJ37hamB 8SRHFyMnh4SAicSe/8/Zuhi5OIQEFjNJXPxwigXC2cgoseXRFUYI5yqTxOe7E5hBWlgEVCWm X5jGCGKzCahINHRfBouLCBhKTF85kRXEZgayp+zdyAZiCwu4SJz9sJQJxOYFWreksZ8dYugm Jom71xcxQyQEJU7OfMIC0awlcePfS6AGDiBbWmL5P7BTOQWsJV48fge2V1RAWWLevlVsExgF ZiHpnoWkexZC9wJG5lWMsim5Vbq5iZk5xanJusXJiXl5qUW6xnq5mSV6qSmlmxhBwcspybeD cVKD9yFGAQ5GJR7eCwtORwqxJpYVV+YeYpTkYFIS5V3ifiZSiC8pP6UyI7E4I76oNCe1+BCj BAezkgjveWagHG9KYmVValE+TEqag0VJnHdb0K5IIYH0xJLU7NTUgtQimKwMB4eSBO+daKBG waLU9NSKtMycEoQ0EwcnyHAeoOGsMSDDiwsSc4sz0yHypxh1OR7duPuHSYglLz8vVUqc9z/I IAGQoozSPLg5oKQjkb2/5hWjONBbwrxFIFU8wIQFN+kV0BImoCW9U0+ALClJREhJNTDaCYj5 qSvkTEvm++i6bvkO21+TJ0+bttU/fNGpO4yTorxTd9+wUfXnS3ybUTD1jaLL5u16fjnupzVi ZWQfLq3J4EjdwLA6TbPnvtqzpdp7v8rH7qj3SL7b/DXbev2Bswn5y9csnL5gtYryMh7zO/sl jLLX/Ger3PEwtTp1/bH+WBWp73Fb42SVWIozEg21mIuKEwEZgac/FQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/TUpRzJBzLParFpXEEUdV_vH_XRM>
Subject: Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Sep 2017 02:21:37 -0000

On Mon, Sep 25, 2017 at 10:04:15PM -0700, Henry B (Hank) Hotz, CISSP wrote:
> 
> > On Sep 25, 2017, at 7:25 PM, Benjamin Kaduk <kaduk@MIT.EDU>; wrote:
> > 
> > That said, Greg noted on IRC that if we do have a "no DES and SPAKE
> > together" requirement, the KDC knows the initial reply key and can
> > do the right thing fairly easiliy, including rejecting optimistic
> > attempts from (broken) clients.  So, I'm starting to come around to
> > the camp of "prevent SPAKE with 1DES, and require all future mandatory
> > checksum types to be deterministic".  (Possibly all future checksum
> > types entirely, but that may be too aggressive.)
> 
> Do we really have that many single-des deployments to worry about anymore? Everything I know of, including AFS and AD/Windows, has better alternatives available and just waiting to be turned on. Surely nobody is still using JGSS in Java 1.4.

As I understand it, there is not much (any?) modern software that strictly
requires single-DES, but there are also many sites where the effort to
upgrade has not been expended.  Even in ATHENA.MIT.EDU, we have cross-realm
keys that are actively used (albeit not for terribly critical functionality)
that remain single-DES because of the logistical challenges involved in
getting both KDC administrators in contact and with a trusted channel.

-Ben