[kitten] SPAKE and weak checksum types
Greg Hudson <ghudson@mit.edu> Mon, 11 September 2017 16:01 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68E5613314E for <kitten@ietfa.amsl.com>; Mon, 11 Sep 2017 09:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k9rUVBC8CKZ1 for <kitten@ietfa.amsl.com>; Mon, 11 Sep 2017 09:01:04 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A989713314D for <kitten@ietf.org>; Mon, 11 Sep 2017 09:01:04 -0700 (PDT)
X-AuditID: 1209190e-afbff700000008e4-df-59b6b33fd10c
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 3B.EA.02276.F33B6B95; Mon, 11 Sep 2017 12:01:03 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v8BG12Tn032589 for <kitten@ietf.org>; Mon, 11 Sep 2017 12:01:03 -0400
Received: from localhost (EQUAL-RITES.MIT.EDU [10.18.1.59]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v8BG11Wq006405 for <kitten@ietf.org>; Mon, 11 Sep 2017 12:01:02 -0400
From: Greg Hudson <ghudson@mit.edu>
To: kitten@ietf.org
Date: Mon, 11 Sep 2017 12:01:01 -0400
Message-ID: <x7defrdz0le.fsf@equal-rites.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIIsWRmVeSWpSXmKPExsUixG6nomu/eVukwfu1ChZHN69icWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxuGDDawFswUrNm+ezdTAeJ63i5GTQ0LAROL6n63MILaQwGIm if5Fml2MXED2cUaJHV8Ps0I4HUwSF35PZAepYhNQlli/fysLiC0iICyxe+s7sG5hATWJJ9tv gNksAqoSWw9MY+pi5ODgFTCUOLijFiTMKyAocXLmE7BWZgEJiYMvXjBPYOSehSQ1C0lqASPT KkbZlNwq3dzEzJzi1GTd4uTEvLzUIl1jvdzMEr3UlNJNjKAQ4JTk28E4qcH7EKMAB6MSD29D 77ZIIdbEsuLK3EOMkhxMSqK8745viRTiS8pPqcxILM6ILyrNSS0+xCjBwawkwnt2PVA5b0pi ZVVqUT5MSpqDRUmcV1yjMUJIID2xJDU7NbUgtQgmK8PBoSTBy7MJqFGwKDU9tSItM6cEIc3E wQkynAdo+LGNIMOLCxJzizPTIfKnGCWlxHnlQZoFQBIZpXlwva8YxYFeEOb1BMnyAOMZrusV 0EAmoIE8l7aADCxJREhJNTA2N0/OrvzSoX3+60/u4H23G9fLr3b8NzP81FWv5P+MjUkRCc+z W2qOqrSJOnyf++ey7PRWow9z907WcZoQzMfj+t9/WXPoO/eSn6Xf10Td/X7kIxujwsH9ZR7x jw8LvS/b8DM9ZdbyZdffT+9ukTeL/JpTerOak/NdXqZ1war/ct9XZ05d2eylxFKckWioxVxU nAgAUBR+p6QCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ngjZYwe-4l_MuJiY1yzH1x7jQCo>
Subject: [kitten] SPAKE and weak checksum types
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Sep 2017 16:01:13 -0000
Currently the SPAKE draft says, in security considerations: Weak checksums present a risk to the transcript checksum. Any etype with a checksum based on one of the following algorithms MUST NOT be used: * CRC32 * MD4 * MD5 I have several problems with this clause. The implementer doesn't get to choose the transcript checksum type; it is specified as the required checksum type of the initial reply key. To conform to this clause, and implementer must decline to offer SPAKE preauth if the initial reply key uses RC4 or DES. While those enctypes are problematic, I don't think it's ideal for the KDC to throw up its hands and use encrypted timestamp just because the SPAKE transcript checksum would be using MD5 (which is still preimage-resistant as far as we know). Also, this clause focuses on the transcript checksum, which seems like a difficult attack vector as it is merely one component of key derivation, while ignoring other possible weaknesses of the reply key encryption type, such as the integrity tag on the key confirmation or the confidentiality of second-factor data. I propose to replace this clause with the following wording: This mechanism does not upgrade the encryption type of the initial reply key, and relies on that encryption type for confidentiality, integrity, and pseudo-random functions. If the client long-term key uses a weak encryption type, an attacker might be able to subvert the exchange, and the replaced reply key will also be of the same weak encryption type. (During the design of the SPAKE preauth mechanism, I did consider the possibility of upgrading the reply key encryption type, so that the client long-term key is only used as a source of octets for the shared secret input to the SPAKE algorithm. Although that would be a neat benefit for deployments with a lot of legacy DES or RC4 client keys, it would significantly complicate the spec. It would also introduce a risk of a downgrade attack on the initial reply key enctype, e.g. if the KDC could be fooled into thinking that DES is a better choice than AES by altering the request enctype list.)
- [kitten] SPAKE and weak checksum types Greg Hudson
- Re: [kitten] SPAKE and weak checksum types Henry B Hotz
- Re: [kitten] SPAKE and weak checksum types Greg Hudson
- Re: [kitten] SPAKE and weak checksum types Robbie Harwood
- Re: [kitten] SPAKE and weak checksum types Benjamin Kaduk
- Re: [kitten] SPAKE and weak checksum types Greg Hudson
- Re: [kitten] SPAKE and weak checksum types Benjamin Kaduk
- Re: [kitten] SPAKE and weak checksum types Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and weak checksum types Benjamin Kaduk