IETF Logo Mail Archive

Re: [kitten] GSS-only enctypes

Nico Williams <nico@cryptonector.com> Wed, 01 April 2015 22:06 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68D7C1A0151 for <kitten@ietfa.amsl.com>; Wed, 1 Apr 2015 15:06:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ASA6tsfxt9yT for <kitten@ietfa.amsl.com>; Wed, 1 Apr 2015 15:06:04 -0700 (PDT)
Received: from homiemail-a55.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 8782B1A0070 for <kitten@ietf.org>; Wed, 1 Apr 2015 15:06:04 -0700 (PDT)
Received: from homiemail-a55.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a55.g.dreamhost.com (Postfix) with ESMTP id 4440E160B for <kitten@ietf.org>; Wed, 1 Apr 2015 15:06:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=fE4yD8Fs1DAvM4ZgAS+O jLlSJFg=; b=nhp1Xyh6FAh/gkUP74qHH/a9VicouA7iW6lrGEPGl/Xjvv0LEm6a SZsgboX0qKdrK6Pcqf0MDlBN0Yjg4t0y2IJSQHEeToGqqFa4v2mxD1HVOD6wrP8e Hw/MMDdq0n2C3ERO0kFAtcWFSLEISMN3HS7ViMWWyV1WwyEkx8ct2xI=
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a55.g.dreamhost.com (Postfix) with ESMTPSA id 3006B160A for <kitten@ietf.org>; Wed, 1 Apr 2015 15:06:04 -0700 (PDT)
Received: by ierf6 with SMTP id f6so55093959ier.2 for <kitten@ietf.org>; Wed, 01 Apr 2015 15:06:03 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.42.226.69 with SMTP id iv5mr68713278icb.58.1427925963845; Wed, 01 Apr 2015 15:06:03 -0700 (PDT)
Received: by 10.64.130.66 with HTTP; Wed, 1 Apr 2015 15:06:03 -0700 (PDT)
In-Reply-To: <ldvk2xvpl2q.fsf@sarnath.mit.edu>
References: <CAK3OfOj+Pe8kdAqfXR5EJgw38ekHSUwYv7NBEAZU3FpScbH3cw@mail.gmail.com> <alpine.GSO.1.10.1504011603320.22210@multics.mit.edu> <551C5C53.10901@mit.edu> <CAK3OfOgPg1xs7yg=Mh5+qb2L5j2ZDZVwr1D+NXs5QOzpnHA3Hw@mail.gmail.com> <ldvk2xvpl2q.fsf@sarnath.mit.edu>
Date: Wed, 01 Apr 2015 17:06:03 -0500
Message-ID: <CAK3OfOgogdvyqUzKsLmbTB8B8x+RUQ9-Simknbd687d_-HCuPQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Tom Yu <tlyu@mit.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/_ml3C-wUAOjiGqcFd86XXL3SLZc>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] GSS-only enctypes
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 22:06:05 -0000

On Wed, Apr 1, 2015 at 4:58 PM, Tom Yu <tlyu@mit.edu> wrote:
> Nico Williams <nico@cryptonector.com> writes:
>
>> On Wed, Apr 1, 2015 at 4:00 PM, Greg Hudson <ghudson@mit.edu> wrote:
>>> On 04/01/2015 04:04 PM, Benjamin Kaduk wrote:
>>>> I'm not sure that we got enough active input at the meeting on this
>>>> question to be able to declare consensus.  Regardless, we should ask the
>>>> list if there are objections to (or support for) using the Kerberos
>>>> enctype number space for enctypes with restricted usability (i.e., only
>>>> for subsession keys, or GSS, etc.).
>>>
>>> I didn't totally understand all of Nico's reasoning about this when he
>>> spoke at the meeting.  In general I think it's fine; it lets us
>>> negotiate AEAD enctypes using RFC 4537 enctype negotation and the
>>> existing subkey fields when mutual auth is used.
>>
>> Conversely, not reusing the RFC3961 enctype namespace means a) adding
>> a new extension like RFC4537 to carry the client's/initiator's AEAD
>> enctype list and sub-keys, b) extending AP-REP to carry the
>> server's/acceptor's sub-key and choice of AEAD enctype.  That seems
>> like lots of unnecessary complexity.
>
> I generally agree with that reasoning.  I think we should clearly
> document the security considerations of the "restricted usage enctype"
> approach.  We should also require that future specifications of
> restricted usage enctypes clearly document the security considerations
> of using the restricted enctype outside of the intended scope, e.g.,
> compromise of all future authentication if there is nonce reuse of a
> long-term AES-GCM key.

Yes.

I'd rather say that AEAD enctypes are just NOT RFC3961 enctypes, and
they cannot be used in any RFC3961 interfaces.  But that approach does
increase the friction between a Kerberos GSS mechanism implementation
and the libkrb5 underneath (e.g., a krb5_authcontext wouldn't be able
to have GSS-only sub-keys, and extracting them from the Authenticator
and AP-REP might require new internal interfaces).

We might have to settle for simply not permitting use of AEAD in
non-GSS contexts.

Nico
--

v2.23.0 | Report a Bug | By Email