Re: [kitten] SPAKE Preauth
Nathaniel McCallum <npmccallum@redhat.com> Fri, 01 May 2015 21:19 UTC
Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C5BB1A0069 for <kitten@ietfa.amsl.com>; Fri, 1 May 2015 14:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.012
X-Spam-Level:
X-Spam-Status: No, score=-4.012 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 126LCghtZtEF for <kitten@ietfa.amsl.com>; Fri, 1 May 2015 14:19:00 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B41F1A0033 for <kitten@ietf.org>; Fri, 1 May 2015 14:19:00 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (Postfix) with ESMTPS id 288092BB398; Fri, 1 May 2015 21:19:00 +0000 (UTC)
Received: from vpn-58-124.rdu2.redhat.com (vpn-58-124.rdu2.redhat.com [10.10.58.124]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t41LIwDl006766 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 May 2015 17:18:59 -0400
Message-ID: <1430515138.2514.10.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Nico Williams <nico@cryptonector.com>
Date: Fri, 01 May 2015 17:18:58 -0400
In-Reply-To: <20150501211503.GA10065@localhost>
References: <1430138754.2682.10.camel@redhat.com> <553FA2B3.8030301@mit.edu> <alpine.GSO.1.10.1504281531500.22210@multics.mit.edu> <20150501211503.GA10065@localhost>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/_wxctOF8dC5qvS0c5bwdtgYpUT0>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] SPAKE Preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2015 21:19:02 -0000
On Fri, 2015-05-01 at 16:15 -0500, Nico Williams wrote: > On Tue, Apr 28, 2015 at 05:53:01PM -0400, Benjamin Kaduk wrote: > > "can't tell which factor was guessed incorrectly" seems like a > > pretty > > important property (I would be really excited to see a scheme with > > this > > property get deployed!), but it does not seem to be mentioned in > > the > > current section 1.2 text. (It does talk about avoiding > > ciphertexts^Wpackets which are vulnerable to offline brute-force > > attack, > > but I don't see anything mentioning the online attack as well.) > > Hmm, this > > is mentioned in the security considerations, at least. I think it > > should > > be more prominent earlier in the document. > > > > However, it seems like the text at the end of section 4.3 wherein > > "[i]f > > validation of the second factor requires furthe round-trips, the > > KDC MUST > > reply to the client with KDC_ERR_MORE_PREAUTH_DATA_REQUIRED [...]" > > loses > > the indistinguishability property, as the encrypted > > SPAKESecondFactor > > would not be generated if the long-term key (password) was > > incorrect. > > This seems inherent to second factors which require multiple round > > trips > > to validate, though, so maybe we have to make a choice of the > > tradeoff. > > Yes. And 4.4 makes it worse because continued 2nd factor exchanges > use > EncryptedData, including from the AS to the client (which can then > confirm that its choice of password guess was incorrect). > > The fix for this is to send AS->client 2nd factor continuations in > the > clear if at all possible. Which means that in the AS->client 3rd and > subsequent passes we need a CHOICE of OCTET STRING or EncryptedData, > or > perhaps allow the use of the null enctype in the AS->client 2nd > factor > EncryptedData. > > The AS will know as soon as it tries to decrypt the client's 2nd > factor > (whose EncryptedData functions as a proof of possession) that the > client > doesn't know the password. In this case the AS should continue and > process _a_ 2nd factor as much as possible as if the password was > right. > The AS could do this by arranging to have a special user account (so > as > not to lock out the real user) for testing bogus second factors, and > using a random or constant 2nd factor for this. I think this is overkill. Most continuations will have already validated some aspect of the second factor. For instance, in HOTP/TOTP continuations are used for synchronization of the token after the validation of the initial token code. Nathaniel
- [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Simo Sorce
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Simo Sorce
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- [kitten] Bootstrapping PKINIT server certs with R… Nico Williams