Re: [kitten] New s2k and exposing the strength (iteration count) part of s2kparams
Jeffrey Hutzelman <jhutz@cmu.edu> Mon, 02 December 2013 21:38 UTC
Return-Path: <jhutz@cmu.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF1C01ADF8B for <kitten@ietfa.amsl.com>; Mon, 2 Dec 2013 13:38:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q6g6BGQgZhv0 for <kitten@ietfa.amsl.com>; Mon, 2 Dec 2013 13:38:56 -0800 (PST)
Received: from smtp03.srv.cs.cmu.edu (SMTP03.SRV.CS.CMU.EDU [128.2.217.198]) by ietfa.amsl.com (Postfix) with ESMTP id E97961ADF87 for <kitten@ietf.org>; Mon, 2 Dec 2013 13:38:55 -0800 (PST)
Received: from [128.2.193.239] (minbar.fac.cs.cmu.edu [128.2.193.239]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id rB2LcqUp029511 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 2 Dec 2013 16:38:52 -0500 (EST)
Message-ID: <1386020332.9407.118.camel@minbar.fac.cs.cmu.edu>
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: kitten@ietf.org
Date: Mon, 02 Dec 2013 16:38:52 -0500
In-Reply-To: <32722_1386018295_rB2L4rvE023770_CAK3OfOgeJW9XoaNYKytKQqeTzjgCE4xNnhhhCyhBzZZ=kJ+o4w@mail.gmail.com>
References: <32722_1386018295_rB2L4rvE023770_CAK3OfOgeJW9XoaNYKytKQqeTzjgCE4xNnhhhCyhBzZZ=kJ+o4w@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.2.3-0ubuntu6
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
X-Scanned-By: mimedefang-cmuscs on 128.2.217.198
Cc: jhutz@cmu.edu
Subject: Re: [kitten] New s2k and exposing the strength (iteration count) part of s2kparams
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 21:38:58 -0000
On Mon, 2013-12-02 at 15:04 -0600, Nico Williams wrote: > ISTM that we should: > > 1) Expose the iteration count of the otherwise-opaque s2k params, and > standardize it, renaming it a strength indication and leaving its > interpretation as mechanism-specific. I.e., from now on all new > enctypes with s2kparams will have theirs start with a four-octet, > network byte order unsigned measure of strength. I don't think that's necessary. The s2k parameters aren't really opaque; they're enctype-specific and pseudo-opaque at the Kerberos protocol layer, in the same way that PA-DATA and authorization data are. IMHO it works better that way, because it means we can carry such things end-to-end without all of the intermediate pieces having to understand them. This has brought us extensibility that otherwise would have been impossible, and even some that we previously thought _was_ impossible (e.g. ticket extensions using a magic enctype). It might be useful for Kerberos libraries, admin tools, and KDC implementations to include interfaces for managing s2k parameters. However, I don't think doing so requires that we mandate that future enctypes use a particular format for s2k parameters, or use a single linear "strength" parameter. Future S2K algorithms may have arbitrary numbers of parameters, and while it may be possible and even desirable to compute a single "strength indication" from those parameters, the operation is not likely to be reversible, which means that s2k params will need to encode the actual individual parameters. > 2) It'd be nice if we could add memory-hard s2k functions. I'm not > sure what NIST is prepared to consider here. I guess anything > provably not weaker than PBKDF2 should be acceptable, but I'm not sure > how to construct such a thing (XOR of two s2ks is not necessarily > provably not weaker than either of the s2ks; consider the case where > they are the same s2k!). > > For a memory- and compute-hard s2k the strength measure might be > composed of two numbers, one indicating memory strength and the other > indicating compute strength. Oh, look; you've just made my point for me. :-) -- Jeff
- [kitten] New s2k and exposing the strength (itera… Nico Williams
- Re: [kitten] New s2k and exposing the strength (i… Jeffrey Hutzelman
- Re: [kitten] New s2k and exposing the strength (i… Nico Williams