[kitten] Freshness Security Considerations for minimum/maximum size
Michiko Short <michikos@microsoft.com> Thu, 01 December 2016 17:55 UTC
Return-Path: <michikos@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD23B12967C for <kitten@ietfa.amsl.com>; Thu, 1 Dec 2016 09:55:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Qt7CKh0-gNl for <kitten@ietfa.amsl.com>; Thu, 1 Dec 2016 09:55:35 -0800 (PST)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0113.outbound.protection.outlook.com [104.47.34.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E3BA12969E for <kitten@ietf.org>; Thu, 1 Dec 2016 09:55:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=79EGbnZf/T+Zl4cXBWrLz91pxki8SzbhJm5fKQhYGgg=; b=KUKowo0u1hUoVWH59AZRA6bBsaZiZN200AWPixFr8KpGK837qawt+4DesHKwHtCAh7oI7jiKhQl8SgrtujcuwE0cK/KrWIs6RYNh6WUACyofdFqUCv4k2qrT49tsGpAhN7vO+5vUKjRB4S23T7KGar1tWaNH1VKF0vP/8E44cbQ=
Received: from CY1PR03MB2315.namprd03.prod.outlook.com (10.166.207.138) by CY1PR03MB2315.namprd03.prod.outlook.com (10.166.207.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.734.8; Thu, 1 Dec 2016 17:55:34 +0000
Received: from CY1PR03MB2315.namprd03.prod.outlook.com ([10.166.207.138]) by CY1PR03MB2315.namprd03.prod.outlook.com ([10.166.207.138]) with mapi id 15.01.0734.020; Thu, 1 Dec 2016 17:55:34 +0000
From: Michiko Short <michikos@microsoft.com>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: Freshness Security Considerations for minimum/maximum size
Thread-Index: AdJL+WK9inTSuXD+SZmasY5nwhJ7MA==
Date: Thu, 01 Dec 2016 17:55:34 +0000
Message-ID: <CY1PR03MB2315AC54FFAF0CC292EBDD71D08F0@CY1PR03MB2315.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=michikos@microsoft.com;
x-originating-ip: [2001:4898:80e8:d::3a6]
x-microsoft-exchange-diagnostics: 1; CY1PR03MB2315; 7:5zHw76fetWOFG4hR9EVQ1Wr1zxTQUVb6XLUN2Pysq/iW3XYeFMLIfkslwN+vnk9h0HsFoU6sgF/Re6lxNucQqbB/vbZZ0zpxQEuK5e24dWs03lVdX+gGnRGaWO905eiGcHK10tQEGLJm08qd2P8EdJwRE0PjOxZTGBNxzedg5ishCuhqYya9Ko4JJAzxeJoMtFz4lne8Ha944wVyhA3j9p9aXZnzlpAOoTWJPjSrOYAlABrvbCOWCF2y2macT4MnRJJTNp3DMv91+UBHlixdFlV/iYcWurgp+7GeMn1RHYaPgSTLmTgfAVAB1FDsuNLQPREXJhzN3CbGjsmfwlUWQQboYXVX/HEK1FFXbqeKIJCEZYPiZZS/gw/qaw4L0ECD
x-ms-office365-filtering-correlation-id: 47e081fd-97a7-4ce9-c400-08d41a133fd6
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY1PR03MB2315;
x-microsoft-antispam-prvs: <CY1PR03MB2315BF2795AD3857900C50D3D08F0@CY1PR03MB2315.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123564025)(20161123560025)(20161123555025)(6072148)(6047074); SRVR:CY1PR03MB2315; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB2315;
x-forefront-prvs: 014304E855
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(199003)(189002)(76576001)(3660700001)(2900100001)(77096006)(8990500004)(38730400001)(5005710100001)(450100001)(10290500002)(81156014)(107886002)(8676002)(92566002)(39410400001)(7110500001)(39450400002)(81166006)(1730700003)(6506003)(8936002)(101416001)(6916009)(97736004)(189998001)(122556002)(9686002)(7696004)(86362001)(2906002)(54356999)(6116002)(790700001)(33656002)(105586002)(102836003)(2351001)(99286002)(106356001)(110136003)(86612001)(50986999)(5640700001)(5630700001)(7736002)(5660300001)(15650500001)(2501003)(10090500001)(74316002)(7846002)(68736007)(2420400007)(3280700002)(10710500007); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR03MB2315; H:CY1PR03MB2315.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR03MB2315AC54FFAF0CC292EBDD71D08F0CY1PR03MB2315namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2016 17:55:34.2781 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB2315
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/m0j9HhxMhR5Kn_N9CvwrsjxbJWc>
Subject: [kitten] Freshness Security Considerations for minimum/maximum size
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2016 17:55:39 -0000
We have concerns about the lack of guidance about size of the freshness token. Minimum length Problematic due to the fact that we intentionally did not specify the format of the freshness token. Since the structure of the freshness token is left up to the KDC, there is no good way to determine a minimum size. However, we can add to the security considerations: Although we don't specify the format of the freshness token, there are a few size considerations based on if the following are used: - Nonce: Size is determined by the birthday problem. - Symmetric cryptography: Size is determined by properties of the encryption types supported. - Asymmetric cryptography: Size is determined by properties of the encryption types supported. Maximum length A maximum size makes sense as a way to avoid processing messages that are clearly bad. Is there an accepted value for a worst case CMS signature?
- [kitten] Freshness Security Considerations for mi… Michiko Short
- Re: [kitten] Freshness Security Considerations fo… Greg Hudson
- Re: [kitten] Freshness Security Considerations fo… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Freshness Security Considerations fo… Michiko Short