IETF Logo Mail Archive

Re: [kitten] AD review of draft-ietf-kitten-krb-spake-preauth-06

Benjamin Kaduk <kaduk@mit.edu> Sat, 06 April 2019 02:26 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4349B12046E for <kitten@ietfa.amsl.com>; Fri, 5 Apr 2019 19:26:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XnXfMXNMsQaf for <kitten@ietfa.amsl.com>; Fri, 5 Apr 2019 19:26:29 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3A33120149 for <kitten@ietf.org>; Fri, 5 Apr 2019 19:26:28 -0700 (PDT)
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x362QNuI023356 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 5 Apr 2019 22:26:27 -0400
Date: Fri, 05 Apr 2019 21:26:23 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Cc: kitten@ietf.org
Message-ID: <20190406022623.GH70202@kduck.mit.edu>
References: <20190404235859.GM54777@kduck.mit.edu> <320b38a9-7dc1-49af-f054-a8863da4d23b@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <320b38a9-7dc1-49af-f054-a8863da4d23b@mit.edu>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/jf8DK8_DS9r93I1mtl3tb33HXug>
Subject: Re: [kitten] AD review of draft-ietf-kitten-krb-spake-preauth-06
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2019 02:26:31 -0000

On Thu, Apr 04, 2019 at 08:58:14PM -0400, Greg Hudson wrote:
> On 4/4/19 7:58 PM, Benjamin Kaduk wrote:
> > In general this document is in good shape, but the elephant in the room
> > is the state of the dependency draft-irtf-cfrg-spake2, which is
> > apparently not as stable as we thought.  It seems likely that we'll need
> > to wait until that document is further along before we can finalize our
> > revisions to this document and go to IETF LC; furthermore, I expect
> > we'll want to reissue some codepoints so that the current meanings stay
> > valid (tied to draft-irtf-cfrg-06's behavior) and the new codepoints
> > match the RFC version of the CFRG spec.  (Except when we consciously
> > diverge, as for the transcript hash, etc.)
> > 
> > In particular I think we will need to allocate a new PA-SPAKE value.
> > (I don't think I see a reason to allocate a new KEY_USAGE_SPAKE value.)
> 
> I guess we didn't have the same takeaways regarding the recent revisions
> to draft-irtf-cfrg-spake2.  I argued that the changes to cofactor
> handling in SPAKE2 were unnecessary, inconsistent with how X25519 was
> specified, and should be reverted (though w1 in SPAKE2+ should become a
> scaled cofactor instead of an unscaled one).

Well, I see draft-irtf-cfrg-spake2 as being somewhat in flux still, in
response to Kenny's review, and I'm reluctant to blindly charge ahead with
this document until some clearer consensus arises there.  I do owe everyone
some responses to the thread for that document, still...

With respect to this document, the main change in draft-irtf-cfrg-spake2
that seems like a "breaking change" would be the cofactor handling, e.g.,
whether we pick a value that's divisible by h and send that vs. sending the
number from [0,p) and having the peer do the multiplication.  IIRC the
latter is "safer" in that it requires each party to perform the needed
check as a matter of course in running the protocol, rather than having an
additional "check step" that might be seen as optional and omitted.

> There are also changes to the requirements for key derivation which I
> believe we cannot reasonably meet within the Kerberos protocol; while
> these changes can be reasonably justified, I believe they make
> draft-irtf-cfrg-spake2 unsuitable as a normative reference for
> draft-ietf-kitten-krb-spake-preauth in my opinion.  Instead, we should
> describe the SPAKE2 algorithm within the Kerberos draft as it is used
> there, using the Abdalla/Pointcheval paper as an informative reference.

I agree that we don't want (and in fact can't use) the key derivation and
transcript hash from draft-irtf-cfrg-spake2-08, and don't see an issue with
referencing the document just for the core algebraic operations.

I had intended draft-irtf-cfrg-spake2 to have some text along the lines of
"in the absence of a more suitable application-defined transcript and
key-derivation mechanism, the following are defined for generic use", but
in the rush of getting submitted before the draft deadline that didn't
really come through.

-Ben

> I do not at this time understand why we would want or need to allocate
> new code points.

v2.23.0 | Report a Bug | By Email