IETF Logo Mail Archive

Re: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00

Greg Hudson <ghudson@mit.edu> Tue, 29 August 2017 15:28 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 169E1132D0B; Tue, 29 Aug 2017 08:28:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZH98AMt3RF25; Tue, 29 Aug 2017 08:28:33 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 542C6132C3B; Tue, 29 Aug 2017 08:28:33 -0700 (PDT)
X-AuditID: 1209190c-53bff70000005ea2-dc-59a588209cd5
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id DE.04.24226.02885A95; Tue, 29 Aug 2017 11:28:32 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v7TFSV1O014468; Tue, 29 Aug 2017 11:28:31 -0400
Received: from [18.101.8.82] (VPN-18-101-8-82.MIT.EDU [18.101.8.82]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7TFSSu1022134 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 29 Aug 2017 11:28:30 -0400
To: Benjamin Kaduk <kaduk@mit.edu>
References: <20170818181043.GC35188@kduck.kaduk.org> <59e6271c-5970-5cb7-209a-73a1e02cc5f8@mit.edu> <20170829014303.GN96685@kduck.kaduk.org>
Cc: kitten@ietf.org, draft-ietf-kitten-krb-spake-preauth@ietf.org
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <8bfdfb7c-9cc4-d6ee-125b-91713bdc2925@mit.edu>
Date: Tue, 29 Aug 2017 11:28:28 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20170829014303.GN96685@kduck.kaduk.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRmVeSWpSXmKPExsUixG6noqvQsTTS4Ph6UYvHWz4zWhzdvIrF gcljyZKfTAGMUVw2Kak5mWWpRfp2CVwZLxZLFzwVrOjZfYGtgXE7XxcjJ4eEgInEqSermLsY uTiEBBYzSXxpgXE2MkpsvrGADcI5xCQx60wLM0iLsICtxLFpN8FsEQElicVnW6CKJjBKfGhe CZZgFnCU+PTjESuIzSagLLF+/1YWEJtXwEriZ9srNhCbRUBV4uPxZnYQW1QgQuJh5y52iBpB iZMznwDVc3BwCphKXO+MgBipJ7Hj+i9WCFteYvvbOcwTGAVmIemYhaRsFpKyBYzMqxhlU3Kr dHMTM3OKU5N1i5MT8/JSi3QN9XIzS/RSU0o3MYLCk1OSZwfjmTdehxgFOBiVeHh3li6NFGJN LCuuzD3EKMnBpCTK29gIFOJLyk+pzEgszogvKs1JLT7EKMHBrCTC29wGlONNSaysSi3Kh0lJ c7AoifNKaDRGCAmkJ5akZqemFqQWwWRlODiUJHgl24EaBYtS01Mr0jJzShDSTBycIMN5gIaL g9TwFhck5hZnpkPkTzEqSonzPm8FSgiAJDJK8+B6wekjlSPoFaM40CvCvE4g7TzA1APX/Qpo MBPQ4FgvsMEliQgpqQbGG/fm3m14c9XR51A//+S5m1OefP1hfoSF+1DC2iecu35c2HY7RfC+ zbkCt8WlPF0ardc+W+1Q5K85HdDUsadePCTi3LsPvkctLdbPLjZYduvsxw6LGxwTLp2+Itgk 3r9q+Rr/T5J9B08Gn9vNy730WuGS38nvPhy7lyqmnfZs3+H/O2R2B9WKuiqxFGckGmoxFxUn AgC8olB1+gIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/kghEt1ld3xYjfvsXmtNdgjFAWH0>
Subject: Re: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Aug 2017 15:28:35 -0000

On 08/28/2017 09:43 PM, Benjamin Kaduk wrote:
>> Agreed.  I have the ability to generate test vectors (using a separate
>> Python implementation, not the C implementation for MIT krb5), but they
>> will change when key usage values are assigned, so I haven't included
>> any in the draft yet.
> 
> It seems likely that this document will advance before
> draft-ietf-kitten-kerberos-iana-registries.  Do I understand correctly
> that the Kerberos Registrar role has been transferred to you?  Any
> comment on when you would feel comfortable making an official assignment?

I would like a sense of consensus on the material aspects of the
protocol (as opposed to its presentation), to avoid having to reassign
the numbers and deprecate the old ones.  Having reviews from you and
Hank that don't propose material changes (now that the transcript
checksum issue is resolved) is helpful there.

I would also like to propose adding an ed25519 group (as I have put
together a decent implementation of one by borrowing code from
BoringSSL) and perhaps making it the only mandatory-to-implement group;
that should probably happen before assigning numbers.  That should of
course be discussed in a separate thread.

>>> Section 1.2 should probably compare the single-round-trip nature of
>>> SPAKE against the round-trip count of ENC_TIMESTAMP.
>>
>> I am not sure there's any concise comparison to be made for this
>> section.  The way we are using SPAKE (with the KDC presenting the
>> initial public value) means we might use one more round trip than
>> encrypted timestamp, or we might use the same number if one of the
>> described optimizations is used.
> 
> I was imagining something like:
> 
> [... single round trip, allowing SPAKE preauthentication to occur in
> the same number of round trips as encrypted timestamp, if either
> optimization from section 4.6 is used.  If neither optimization is used,
> an additional round trip is incurred, but in consideration of all the
> above properties, SPAKE remains an ideal PAKE for use in Kerberos
> pre-authentication.

As this section is still just talking about general PAKE algorithms, I
think it would be confusing to start diving into the weeds of the
specific protocol this early.

v2.23.0 | Report a Bug | By Email