Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums

Robbie Harwood <rharwood@redhat.com> Tue, 26 September 2017 15:24 UTC

Return-Path: <rharwood@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46F9713309D for <kitten@ietfa.amsl.com>; Tue, 26 Sep 2017 08:24:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFXC7oPN1is0 for <kitten@ietfa.amsl.com>; Tue, 26 Sep 2017 08:24:37 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD13C134213 for <kitten@ietf.org>; Tue, 26 Sep 2017 08:24:37 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 60E713B728; Tue, 26 Sep 2017 15:24:37 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 60E713B728
Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=rharwood@redhat.com
Received: from localhost (ovpn-66-196.rdu2.redhat.com [10.10.66.196]) by smtp.corp.redhat.com (Postfix) with ESMTP id 371EB71C4A; Tue, 26 Sep 2017 15:24:34 +0000 (UTC)
From: Robbie Harwood <rharwood@redhat.com>
To: "Henry B \(Hank\) Hotz\, CISSP" <hbhotz@oxy.edu>, Benjamin Kaduk <kaduk@MIT.EDU>
Cc: kitten@ietf.org, Simo Sorce <simo@redhat.com>
In-Reply-To: <B9ED4047-4BAF-4F58-A4CF-5CE420371BB7@oxy.edu>
References: <x7d1sn5zyl8.fsf@equal-rites.mit.edu> <20170919015937.GN96685@kduck.kaduk.org> <1505920169.1143.15.camel@redhat.com> <20170923190527.GU96685@kduck.kaduk.org> <1506358991.3211.1.camel@redhat.com> <20170926022550.GZ96685@kduck.kaduk.org> <B9ED4047-4BAF-4F58-A4CF-5CE420371BB7@oxy.edu>
Date: Tue, 26 Sep 2017 11:25:28 -0400
Message-ID: <jlgd16dmqhj.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Tue, 26 Sep 2017 15:24:37 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/VG-DMsg8t7A2Kx30xKtvLpj8rM4>
Subject: Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Sep 2017 15:24:39 -0000

"Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>; writes:

>> On Sep 25, 2017, at 7:25 PM, Benjamin Kaduk <kaduk@MIT.EDU>; wrote:
>> 
>> That said, Greg noted on IRC that if we do have a "no DES and SPAKE
>> together" requirement, the KDC knows the initial reply key and can
>> do the right thing fairly easiliy, including rejecting optimistic
>> attempts from (broken) clients.  So, I'm starting to come around to
>> the camp of "prevent SPAKE with 1DES, and require all future mandatory
>> checksum types to be deterministic".  (Possibly all future checksum
>> types entirely, but that may be too aggressive.)
>
> Do we really have that many single-des deployments to worry about
> anymore? Everything I know of, including AFS and AD/Windows, has
> better alternatives available and just waiting to be turned on. Surely
> nobody is still using JGSS in Java 1.4.

I don't think we can really know until we start pulling support for it,
rather than just having it off by default.  Our model makes it easy to
deploy a KDC in a "compatibility" mode (which I suspect a lot of sites
do) and then worry less about what clients are running around.

Thanks,
--Robbie