Re: [kitten] Request for review of a SASL mechanism using the OPAQUE aPAKE
Nadja von Reitzenstein Cerpnjak <me@dequbed.space> Mon, 17 October 2022 21:53 UTC
Return-Path: <me@dequbed.space>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59A7CC1524C6 for <kitten@ietfa.amsl.com>; Mon, 17 Oct 2022 14:53:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.307
X-Spam-Level:
X-Spam-Status: No, score=-1.307 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, KHOP_HELO_FCRDNS=0.398, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=dequbed.space
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tBqQN0xN9SAj for <kitten@ietfa.amsl.com>; Mon, 17 Oct 2022 14:53:20 -0700 (PDT)
Received: from mail2.paranoidlabs.org (tureis.comfix.cc [148.251.10.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C34F6C1524BF for <kitten@ietf.org>; Mon, 17 Oct 2022 14:53:18 -0700 (PDT)
Received: from [IPV6:2001:9e8:17fa:6500:a15e:60b0:d899:5a5e] (unknown [IPv6:2001:9e8:17fa:6500:a15e:60b0:d899:5a5e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail2.paranoidlabs.org (PlabsMail) with ESMTPSA id C525D33F1C5; Mon, 17 Oct 2022 21:53:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dequbed.space; s=rsa-20210101; t=1666043591; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nr2ckOrWKYPr7C2z2yna0+g4izy/sOcKHvdUg2X+t9k=; b=eUt5CxzW4EgXg4UxiyLgqrvESQA7PseD5iAGmLrCsfyKXCFye4FSE+xNQL1L4dVAr2A+Av /xX0J82JjQkSDuxXTH6vhlojjZXWNMPl30Ztxwl3t7niAI6zbadbxe8hHX7gflrcZGdNlz 4qXIf9dJ5oaxpMnDKP//THSMDJHgeAqWVlrWpNftvNrJVjCjbVVYkZ8N1lyJs6iVofz+Bv UlpiBOsI7cYsTNZOm8y8xAtvOGHzEHBRXNxAa7ez10WQP12hGoivMzp6YObtKmyRgLBEsg 77g/NrTv5S4CBfYP8kIVBPF22eGrAiXgDp6RSrrGCqFKwgTI2Ag6lz5O5841mw==
Message-ID: <a574a4ec-1aeb-d2fc-85d7-e72d5904a639@dequbed.space>
Date: Mon, 17 Oct 2022 23:53:08 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.3
From: Nadja von Reitzenstein Cerpnjak <me@dequbed.space>
To: Simon Josefsson <simon@josefsson.org>
Cc: kitten@ietf.org
References: <e5a00d86-48a1-d602-0ee8-8cb80c06f826@dequbed.space> <87edvgjgjq.fsf@latte.josefsson.org>
Content-Language: en-US
In-Reply-To: <87edvgjgjq.fsf@latte.josefsson.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/cfB4-erTno9sLl9KjBCXMFLPDls>
Subject: Re: [kitten] Request for review of a SASL mechanism using the OPAQUE aPAKE
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2022 21:53:26 -0000
As apparently my last reply got lost to the mail deities before reaching the list I hope it'll work better on the second try. Original Message: EHLO Simon! > - I'm very happy you modeled this as a GS2 profile, and would like to > explore/help establish it into a GSS-API mechanism. Some additional > wording on GSS-API credentials and naming would be useful. Thank you, I would in fact love help there. My experience with the GSS-API is limited to really only Kerberos V5, and even there I have spent more time understanding and implementing the Kerberos Network Protocol than I have with its GSS-API implementation. > - Don't define a SASL family! SASL families is a mess in SASL which > leads to sub-negotiation that have no well-established solution in > SASL. The naming can be the same, only that new separate documents > needs to be defined orthogonal to this if new parameters are > developed. Sub-negotiating between SCRAM-SHA1 and SCRAM-SHA256 has > proved challenging. Yeah, I have been on the receiving end of the troubles that come from trying to move an existing user base to SCRAM-SHA-256 in the XMPP world. However, with OPAQUE specifically a valid point can be made for another set of parameters, even outside of government regulations requiring certain cryptographic primitives: OPAQUE has the advantage that the server private key can be used via a HSM, making a leak of stored user credentials a significantly less drastic security incident. But the ristretto255 and decaf448 groups are quite new developments and somewhat niche. Compared to NIST P-256 the HSM support for both of the former is exceedingly rare. I personally feel more comfortable with ristretto255 and Argon2, but with the above point an OPAQUE variant using NIST P-256 and e.g. PBKDF#2 may very well be more secure in some circumstances. So if we were to take this into account this would lead us to define two OPAQUE-based mechanisms, called e.g. OPAQUE-A255BLK and OPAQUE-P256SHA, the former using Argon2, ristretto255 and BLAKE3, the latter PBKDF#2, NIST P-256 and {HKDF-,HMAC-,}SHA-256. And given that the only remaining difference between defining a mechanism family versus two discrete specifications would be the point in your blog post regarding the more complicated specification. I guess this question somewhat boils down to if we should let this kind of implementation support inform the standardization work this drastically. Potentially the correct approach would be to do the exact opposite; requiring ristretto255 and/or decaf448 may well push the next generation of HSM to add support for those groups, and adding ristretto255 support is very much not an undue burden if Curve25519 is already supported. > - Require TLS channel bindings. I don't think there is sufficient > use-cases ofr non-TLS settings for IETF application protocols any more > (and those that may exist aren't likely to be using state-of-the-art > authentication protocols -- and can always profile a mechanism if > necessary). The recent RFC9622 tls-exporter has sufficient properties > to always be included in authentication. Having an optional TLS > channel binding also leads to sub-negotiation between PLUS and > non-PLUS variants. That is an interesting point I hadn't considered. In the original discussion[¹] that sparked me writing the draft several people did argue for such an OPAQUE mechanism to provide a security layer. And given that OPAQUE *is* a key exchange protocol, it does suggest itself. My personal stance on that point is however that SASL security layer today are strictly worse than just using TLS. In fact, the only way I'd approach a security layer is as "STARTTLS in a trench coat" — i.e. by using in essence TLS-PSK to bootstrap the TLS context to then use as security layer. I'm not sure about requiring tls-exporter specifically. Many TLS implementation such as Windows' schannel and Apple's security-framework AFAIK don't offer exporter functionality at all. Also channel bindings become most useful when the channel isn't authenticated using PKIX or similar, i.e. in the context of RFC 7250 and the related RawPublicKey certificate type of TLS 1.3. Both of which notably are *also* not supported by the two aforementioned implementations. That all being said this too is somewhat the same question as above; how much existing implementation support should inform our standardization work. > I'm happy to help your effort, and will look into developing a prototype > as well within GNU SASL. That would be wonderful, yes! I'll work on an implementation of this for the rsasl library, although it may take me several more days to get that done. Thanks for your kind words, Nadja [¹]: https://github.com/stef/libopaque/issues/31
- [kitten] Request for review of a SASL mechanism u… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Simon Josefsson
- Re: [kitten] Request for review of a SASL mechani… Dave Cridland
- Re: [kitten] Request for review of a SASL mechani… Florian Schmaus
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Dave Cridland
- Re: [kitten] Request for review of a SASL mechani… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Alexey Melnikov