Re: [kitten] SPAKE and weak checksum types
"Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu> Fri, 15 September 2017 04:38 UTC
Return-Path: <hbhotz@oxy.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E3BB132EDC for <kitten@ietfa.amsl.com>; Thu, 14 Sep 2017 21:38:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.534
X-Spam-Level:
X-Spam-Status: No, score=-3.534 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxVA-BVZMqXG for <kitten@ietfa.amsl.com>; Thu, 14 Sep 2017 21:38:37 -0700 (PDT)
Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 539F5132ED3 for <kitten@ietf.org>; Thu, 14 Sep 2017 21:38:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 411142B0F4; Fri, 15 Sep 2017 04:38:36 +0000 (UTC)
Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo02-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yQaaGrQVgdYp; Fri, 15 Sep 2017 04:38:36 +0000 (UTC)
Received: from macbook-air-2.lan (66-215-86-135.dhcp.psdn.ca.charter.com [66.215.86.135]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 5E0A62B0F0; Fri, 15 Sep 2017 04:38:29 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
In-Reply-To: <898b0135-7c9d-078d-c213-faf90c5c0417@mit.edu>
Date: Thu, 14 Sep 2017 21:38:28 -0700
Cc: Benjamin Kaduk <kaduk@mit.edu>, kitten@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3D9FE776-CE1C-4C82-951A-98E5D8A57511@oxy.edu>
References: <x7defrdz0le.fsf@equal-rites.mit.edu> <A374D6EA-9C58-4A8B-A68F-1CF9DE20669C@oxy.edu> <363e60be-b63d-3be4-dfdb-0f085480a98b@mit.edu> <jlgingn6ezq.fsf@redhat.com> <20170914013625.GO96685@kduck.kaduk.org> <898b0135-7c9d-078d-c213-faf90c5c0417@mit.edu>
To: Greg Hudson <ghudson@MIT.EDU>
X-Mailer: Apple Mail (2.2104)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/Yk030cH92Ah5dKaUYcTVA9DhRzA>
Subject: Re: [kitten] SPAKE and weak checksum types
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Sep 2017 04:38:39 -0000
> On Sep 13, 2017, at 9:20 PM, Greg Hudson <ghudson@MIT.EDU> wrote: > > On 09/13/2017 09:36 PM, Benjamin Kaduk wrote: >>>>> IIUC you are concerned with the case that someone will stand up a kdc >>>>> which will opportunistically use SPAKE, but supports older/weaker >>>>> stuff. By its nature such a beast will be vulnerable to downgrade >>>>> attacks and you can't solve that in SPAKE. >>>> >>>> If the KDC downgrades itself to encrypted timestamp for DES/RC4 keys, >>>> only a passive attack is needed, versus an active attack to downgrade >>>> to encrypted timestamp. >> >> I must still be foggy from recovering from being sick; could you walk >> me through the passive attack a bit more slowly (or which scenarios are >> being compared)? > > The particular scenario I was concerned about here (which should not be > an issue since we appear to have agreement on the text change) was: the > KDC and the client both permit SPAKE and encrypted timestamp. The KDC > decides not to offer SPAKE because the initial reply key is an RC4 key > and therefore the transcript checksum would use HMAC-MD5. The passive > attacker can simply dictionary attack the ciphertext from the client (or > the KDC). Wouldn’t the KDC have already sent a preuth-required message which prohibited that enctype? I thought the list of enctypes was separate from the list of PA types. > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten Personal email. hbhotz@oxy.edu
- [kitten] SPAKE and weak checksum types Greg Hudson
- Re: [kitten] SPAKE and weak checksum types Henry B Hotz
- Re: [kitten] SPAKE and weak checksum types Greg Hudson
- Re: [kitten] SPAKE and weak checksum types Robbie Harwood
- Re: [kitten] SPAKE and weak checksum types Benjamin Kaduk
- Re: [kitten] SPAKE and weak checksum types Greg Hudson
- Re: [kitten] SPAKE and weak checksum types Benjamin Kaduk
- Re: [kitten] SPAKE and weak checksum types Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and weak checksum types Benjamin Kaduk