IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos

Luke Howard <lukeh@padl.com> Fri, 06 January 2023 08:30 UTC

Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C62D3C151521 for <kitten@ietfa.amsl.com>; Fri, 6 Jan 2023 00:30:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m24zXgX-R71N for <kitten@ietfa.amsl.com>; Fri, 6 Jan 2023 00:30:45 -0800 (PST)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 528EEC151520 for <kitten@ietf.org>; Fri, 6 Jan 2023 00:30:44 -0800 (PST)
Received: from auth (localhost [127.0.0.1]) by us.padl.com (8.14.7/8.14.7) with ESMTP id 3068Uavt007232 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 6 Jan 2023 08:30:39 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 3068Uavt007232
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1672993840; bh=HAxVQQGt8EaizuFf2sR4fAL90Mq/hHeiJouOUbHzjno=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=W875BxkfzZNM4UiOhaTJSRtMpShbZ0kPDVeZfwufmicsyFBAjpYElepdaaHefVwzu GcC81gmk9sam0gFrT7yao4nAVqarlpPfJ2uTEmMeM280vPcYzWKpi+juyPf2a2BziL g58RuMv/3L2ibNJxpMKoY6MEkKZ4zdujDVkSfqsKgbl6dMiGaadVr/owkbLTC8TOTD +OMnRSESMzNoJHDfgmS9kzXBI9p2TttIzLlhrgs6O8ifliJjPX8q4CJzjLdkWA8uxF 41cR0NaMA4Km7zDaIBZjAbswKLpyXhxzKPlUPmcfHYKsX34rFg8Bxh4g2L0wt0NJ12 nJruxMkcgm/Jg==
From: Luke Howard <lukeh@padl.com>
Message-Id: <9ACBF03D-4137-4E9A-963E-4D07082FC805@padl.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FF689130-852D-48A7-9E3E-09056B3BFE3C"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Fri, 06 Jan 2023 19:30:36 +1100
In-Reply-To: <B970CFE5-FB03-47C2-87F4-BFC82C87D13A@padl.com>
To: "kitten@ietf.org" <kitten@ietf.org>
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <7B46A5A4-4415-4627-B964-44F2516D84FE@padl.com> <9464B1FF-6784-4D59-A4F6-1B5D58C2B94F@padl.com> <MW4PR21MB1970090CC5E20FC4BADA0B469CFA9@MW4PR21MB1970.namprd21.prod.outlook.com> <B970CFE5-FB03-47C2-87F4-BFC82C87D13A@padl.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/W9c3abgOgiz5kr89dT_pYnR0MWQ>
Subject: Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2023 08:30:49 -0000

Slightly refreshed draft here:

https://www.ietf.org/archive/id/draft-howard-gssapi-aead-01.txt <https://www.ietf.org/archive/id/draft-howard-gssapi-aead-01.txt>

Refreshed implementation here:

https://github.com/heimdal/heimdal/tree/lukeh/aes-gcm <https://github.com/heimdal/heimdal/tree/lukeh/aes-gcm>

I added some text about why EC and RRC are safe to leave unprotected (they’re known constants which can be validated by the peer, generally zero except for EC wrap tokens without confidentiality).

Nico points out we should use this opportunity to encrypt the AP-REP enc-part in the initiator sub-session rather than the ticket session key. Otherwise you can replay an AP-REP against an AP-REQ made with the same ticket, which would be bad for GCM (as we are using a deterministic IV). I haven’t updated the draft yet to reflect this.

> On 5 Jan 2023, at 3:32 pm, Luke Howard Bentata <lukeh=40padl.com@dmarc.ietf.org> wrote:
> 
> 
> 
>> On 5 Jan 2023, at 12:39 pm, Steve Syfuhs (AP) <Steve.Syfuhs=40microsoft.com@dmarc.ietf.org> wrote:
>> 
>> Us Windows folks are vaguely interested. With our RC4 deprecation work winding down, it’d be nice to get something going for post-sha256. That said we don’t have a need for GCM yet. Just looking at it from a crypto-agility perspective.
> 
> Because the profile doesn’t actually support longterm keys, it avoids any longterm key-related agility issues (you’d carry on using AES session keys, and CCM/GCM is negotiated through RFC4537). So that makes things a little more straightforward.
> 
> Anyway, have a look at the drafts, let me know if you have any questions, in the interim I’m rebasing on top of Heimdal master.
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email