IETF Logo Mail Archive

Re: [kitten] New Version Notification for draft-howard-gss-sanon-01.txt

Nico Williams <nico@cryptonector.com> Mon, 06 April 2020 19:52 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37E473A0DE7 for <kitten@ietfa.amsl.com>; Mon, 6 Apr 2020 12:52:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YfRQ77tB8L69 for <kitten@ietfa.amsl.com>; Mon, 6 Apr 2020 12:52:26 -0700 (PDT)
Received: from chocolate.birch.relay.mailchannels.net (chocolate.birch.relay.mailchannels.net [23.83.209.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11EAE3A0DE4 for <kitten@ietf.org>; Mon, 6 Apr 2020 12:52:21 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 547FF20CA0; Mon, 6 Apr 2020 19:52:21 +0000 (UTC)
Received: from pdx1-sub0-mail-a81.g.dreamhost.com (100-96-21-20.trex.outbound.svc.cluster.local [100.96.21.20]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id A53BA206F1; Mon, 6 Apr 2020 19:52:20 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a81.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.6); Mon, 06 Apr 2020 19:52:21 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Macabre-Daffy: 6e28f7e5656eaa16_1586202740964_2045485487
X-MC-Loop-Signature: 1586202740964:1528216827
X-MC-Ingress-Time: 1586202740963
Received: from pdx1-sub0-mail-a81.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a81.g.dreamhost.com (Postfix) with ESMTP id 59E867E5E7; Mon, 6 Apr 2020 12:52:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=cVEcz1+eb04XMn 6AVZq/LGic4gI=; b=RsJuEeZUTTSKdRwN/YmvVg5MHdhB94Jbx8rRBIaq2dhzO0 YHHlEPa6uQpjkvSI184NbtDJ+ZKK5UtUBXFxiMk1X7zj+05T1aaKdeddsbPedOAp 8vMYcj/d5W/fqOTUuAD8iFO8iDOvOPeg6YrRxZgvJzqgeUoB+6ySScV5Smgzk=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a81.g.dreamhost.com (Postfix) with ESMTPSA id 8CE767F0C4; Mon, 6 Apr 2020 12:52:18 -0700 (PDT)
Date: Mon, 06 Apr 2020 14:52:16 -0500
X-DH-BACKEND: pdx1-sub0-mail-a81
From: Nico Williams <nico@cryptonector.com>
To: Luke Howard <lukeh@padl.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Jeffrey Altman <jaltman@auristor.com>, Greg Hudson <ghudson@mit.edu>
Message-ID: <20200406195214.GP18021@localhost>
References: <158604472122.27168.16112727090339772628@ietfa.amsl.com> <B2497A4F-81B3-42F9-AED1-CFECF1D9F7C0@padl.com> <20200405234929.GD18021@localhost> <20200406004444.GE18021@localhost> <DB682CC6-808B-45A6-998E-9EFBF50702B0@padl.com> <20200406154326.GL18021@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20200406154326.GL18021@localhost>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduhedrudefgddufeehucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/mFHmbDMqDoLT6_D77z-hz1VGi9w>
Subject: Re: [kitten] New Version Notification for draft-howard-gss-sanon-01.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 19:52:28 -0000

On Mon, Apr 06, 2020 at 10:43:27AM -0500, Nico Williams wrote:
> On Mon, Apr 06, 2020 at 11:24:31AM +1000, Luke Howard wrote:
> > > - Section 6.1.2
> > > 
> > >   The acceptor should also send a MIC along with the key, thus proving
> > >   it has possession of the shared secret.  This is important, otherwise
> > >   reply tokens could be replayed, and though it wouldn't be much of an
> > >   attack, it's worth doing.
> > 
> > Happy to add this, but is it much of an attack? Both parties are
> > anonymous, so (as we discovered with GS2) this mechanism is completely
> > superfluous unless you intend to use a message protection service (or
> > PRF), which will fail in a replay attack.
> 
> For pure GSS/SAnon apps it probably makes no difference, but it might
> for future stacks combining SAnon with other things.

Well, one nice thing about the MIC is that it allows the initiator to
detect CB failure earlier.  Heck, if the application protocol were to
only have per-message tokens flowing from the initiator to the acceptor,
then the initiator would never find out about CB failures.  So we want
the MIC.

(Not that CB is terribly useful in a mechanism that provides no
authentication, but let's ignore that for this purpose.)

v2.23.0 | Report a Bug | By Email