Re: [kitten] SPAKE and weak checksum types
Benjamin Kaduk <kaduk@mit.edu> Thu, 14 September 2017 15:25 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D694113295C for <kitten@ietfa.amsl.com>; Thu, 14 Sep 2017 08:25:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0U-bA5Hv7NUo for <kitten@ietfa.amsl.com>; Thu, 14 Sep 2017 08:25:12 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCC1A13239C for <kitten@ietf.org>; Thu, 14 Sep 2017 08:25:11 -0700 (PDT)
X-AuditID: 1209190e-b91ff70000006e19-bd-59ba9f56d3e9
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 62.46.28185.65F9AB95; Thu, 14 Sep 2017 11:25:10 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v8EFP9ia012333; Thu, 14 Sep 2017 11:25:09 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v8EFP5nu032255 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 14 Sep 2017 11:25:07 -0400
Date: Thu, 14 Sep 2017 10:25:05 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Cc: kitten@ietf.org
Message-ID: <20170914152505.GR96685@kduck.kaduk.org>
References: <x7defrdz0le.fsf@equal-rites.mit.edu> <A374D6EA-9C58-4A8B-A68F-1CF9DE20669C@oxy.edu> <363e60be-b63d-3be4-dfdb-0f085480a98b@mit.edu> <jlgingn6ezq.fsf@redhat.com> <20170914013625.GO96685@kduck.kaduk.org> <898b0135-7c9d-078d-c213-faf90c5c0417@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <898b0135-7c9d-078d-c213-faf90c5c0417@mit.edu>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixCmqrRs2f1ekwaODehZHN69icWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXRvOc3WwFL9gqVjZ8YWtgXMvaxcjJISFgInHlzzqmLkYuDiGB xUwSvw4/YIFwNjJKbH/xEypzlUmivWkFG0gLi4CqxPvZm1hAbDYBFYmG7svMILaIgKLEs1Vz weLMAsISy9ecBasXFjCW2NP/h72LkYODF2jdol8VEDP7mCRmHXvJCFLDKyAocXLmE6heLYkb /14ygdQzC0hLLP/HAWJyClhLXLpaB1IhKqAsMW/fKrYJjAKzkDTPQtI8C6F5ASPzKkbZlNwq 3dzEzJzi1GTd4uTEvLzUIl1jvdzMEr3UlNJNjOCAlOTbwTipwfsQowAHoxIPr8CEXZFCrIll xZW5hxglOZiURHn36u6MFOJLyk+pzEgszogvKs1JLT7EKMHBrCTC6zoRqJw3JbGyKrUoHyYl zcGiJM67LQgoJZCeWJKanZpakFoEk5Xh4FCS4J06DygrWJSanlqRlplTgpBm4uAEGc4DNNwN pIa3uCAxtzgzHSJ/ilGX48bD63+YhFjy8vNSpcR5S0GKBECKMkrz4OaAEolE9v6aV4ziQG8J 83KDVPEAkxDcpFdAS5iAlpw5vQNkSUkiQkqqgXGrjGzfvbOzz9//m7l3440TO7f0Kps75PD2 GH4KTHmy+ezsTOvPhxNvWRfOXd0abyaudfBhVs18ppkSJTw8CedEBeJWbrVdb56w8a3x8pTY qBdxkff9ZnFkbbLIm1sQKqH58Kdd2u1lzTKSyWW7PnTp8Ov/eCPofkX0gnKwg/pnKdNc/gWm 65RYijMSDbWYi4oTAStwR9b/AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/VT8okJipMD9nxFgfZPYywUke9WY>
Subject: Re: [kitten] SPAKE and weak checksum types
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 15:25:13 -0000
On Thu, Sep 14, 2017 at 12:20:15AM -0400, Greg Hudson wrote: > On 09/13/2017 09:36 PM, Benjamin Kaduk wrote: > > > > I must still be foggy from recovering from being sick; could you walk > > me through the passive attack a bit more slowly (or which scenarios are > > being compared)? > > The particular scenario I was concerned about here (which should not be > an issue since we appear to have agreement on the text change) was: the > KDC and the client both permit SPAKE and encrypted timestamp. The KDC > decides not to offer SPAKE because the initial reply key is an RC4 key > and therefore the transcript checksum would use HMAC-MD5. The passive > attacker can simply dictionary attack the ciphertext from the client (or > the KDC). Ah, the passive attack is limited to the case where the weak reply key would be used, got it. Thanks, Ben
- [kitten] SPAKE and weak checksum types Greg Hudson
- Re: [kitten] SPAKE and weak checksum types Henry B Hotz
- Re: [kitten] SPAKE and weak checksum types Greg Hudson
- Re: [kitten] SPAKE and weak checksum types Robbie Harwood
- Re: [kitten] SPAKE and weak checksum types Benjamin Kaduk
- Re: [kitten] SPAKE and weak checksum types Greg Hudson
- Re: [kitten] SPAKE and weak checksum types Benjamin Kaduk
- Re: [kitten] SPAKE and weak checksum types Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and weak checksum types Benjamin Kaduk