IETF Logo Mail Archive

[kitten] SPAKE and weak checksum types

Greg Hudson <ghudson@mit.edu> Mon, 11 September 2017 16:01 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68E5613314E for <kitten@ietfa.amsl.com>; Mon, 11 Sep 2017 09:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k9rUVBC8CKZ1 for <kitten@ietfa.amsl.com>; Mon, 11 Sep 2017 09:01:04 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A989713314D for <kitten@ietf.org>; Mon, 11 Sep 2017 09:01:04 -0700 (PDT)
X-AuditID: 1209190e-afbff700000008e4-df-59b6b33fd10c
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 3B.EA.02276.F33B6B95; Mon, 11 Sep 2017 12:01:03 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v8BG12Tn032589 for <kitten@ietf.org>; Mon, 11 Sep 2017 12:01:03 -0400
Received: from localhost (EQUAL-RITES.MIT.EDU [10.18.1.59]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v8BG11Wq006405 for <kitten@ietf.org>; Mon, 11 Sep 2017 12:01:02 -0400
From: Greg Hudson <ghudson@mit.edu>
To: kitten@ietf.org
Date: Mon, 11 Sep 2017 12:01:01 -0400
Message-ID: <x7defrdz0le.fsf@equal-rites.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIIsWRmVeSWpSXmKPExsUixG6nomu/eVukwfu1ChZHN69icWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxuGDDawFswUrNm+ezdTAeJ63i5GTQ0LAROL6n63MILaQwGIm if5Fml2MXED2cUaJHV8Ps0I4HUwSF35PZAepYhNQlli/fysLiC0iICyxe+s7sG5hATWJJ9tv gNksAqoSWw9MY+pi5ODgFTCUOLijFiTMKyAocXLmE7BWZgEJiYMvXjBPYOSehSQ1C0lqASPT KkbZlNwq3dzEzJzi1GTd4uTEvLzUIl1jvdzMEr3UlNJNjKAQ4JTk28E4qcH7EKMAB6MSD29D 77ZIIdbEsuLK3EOMkhxMSqK8745viRTiS8pPqcxILM6ILyrNSS0+xCjBwawkwnt2PVA5b0pi ZVVqUT5MSpqDRUmcV1yjMUJIID2xJDU7NbUgtQgmK8PBoSTBy7MJqFGwKDU9tSItM6cEIc3E wQkynAdo+LGNIMOLCxJzizPTIfKnGCWlxHnlQZoFQBIZpXlwva8YxYFeEOb1BMnyAOMZrusV 0EAmoIE8l7aADCxJREhJNTA2N0/OrvzSoX3+60/u4H23G9fLr3b8NzP81FWv5P+MjUkRCc+z W2qOqrSJOnyf++ey7PRWow9z907WcZoQzMfj+t9/WXPoO/eSn6Xf10Td/X7kIxujwsH9ZR7x jw8LvS/b8DM9ZdbyZdffT+9ukTeL/JpTerOak/NdXqZ1war/ct9XZ05d2eylxFKckWioxVxU nAgAUBR+p6QCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ngjZYwe-4l_MuJiY1yzH1x7jQCo>
Subject: [kitten] SPAKE and weak checksum types
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Sep 2017 16:01:13 -0000

Currently the SPAKE draft says, in security considerations:

    Weak checksums present a risk to the transcript checksum. Any etype
    with a checksum based on one of the following algorithms MUST NOT be
    used:

    * CRC32
    * MD4
    * MD5

I have several problems with this clause.  The implementer doesn't get
to choose the transcript checksum type; it is specified as the required
checksum type of the initial reply key.  To conform to this clause, and
implementer must decline to offer SPAKE preauth if the initial reply key
uses RC4 or DES.  While those enctypes are problematic, I don't think
it's ideal for the KDC to throw up its hands and use encrypted timestamp
just because the SPAKE transcript checksum would be using MD5 (which is
still preimage-resistant as far as we know).

Also, this clause focuses on the transcript checksum, which seems like a
difficult attack vector as it is merely one component of key derivation,
while ignoring other possible weaknesses of the reply key encryption
type, such as the integrity tag on the key confirmation or the
confidentiality of second-factor data.

I propose to replace this clause with the following wording:

    This mechanism does not upgrade the encryption type of the initial
    reply key, and relies on that encryption type for confidentiality,
    integrity, and pseudo-random functions. If the client long-term key
    uses a weak encryption type, an attacker might be able to subvert
    the exchange, and the replaced reply key will also be of the same
    weak encryption type.

(During the design of the SPAKE preauth mechanism, I did consider the
possibility of upgrading the reply key encryption type, so that the
client long-term key is only used as a source of octets for the shared
secret input to the SPAKE algorithm.  Although that would be a neat
benefit for deployments with a lot of legacy DES or RC4 client keys, it
would significantly complicate the spec.  It would also introduce a risk
of a downgrade attack on the initial reply key enctype, e.g. if the KDC
could be fooled into thinking that DES is a better choice than AES by
altering the request enctype list.)

v2.23.0 | Report a Bug | By Email