[kitten] New s2k and exposing the strength (iteration count) part of s2kparams
Nico Williams <nico@cryptonector.com> Mon, 02 December 2013 21:04 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 999D71ADF73 for <kitten@ietfa.amsl.com>; Mon, 2 Dec 2013 13:04:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.378
X-Spam-Level:
X-Spam-Status: No, score=-0.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, FROM_12LTRDOM=1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mE2iNiX2G_JS for <kitten@ietfa.amsl.com>; Mon, 2 Dec 2013 13:04:53 -0800 (PST)
Received: from homiemail-a63.g.dreamhost.com (caiajhbdcagg.dreamhost.com [208.97.132.66]) by ietfa.amsl.com (Postfix) with ESMTP id D86791ADF5C for <kitten@ietf.org>; Mon, 2 Dec 2013 13:04:53 -0800 (PST)
Received: from homiemail-a63.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a63.g.dreamhost.com (Postfix) with ESMTP id 9BE0E2F4071 for <kitten@ietf.org>; Mon, 2 Dec 2013 13:04:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:date:message-id:subject:from:to:content-type; s= cryptonector.com; bh=UBe9bqLdLWCKJ7y+IG5iNj42sbI=; b=qqSXdqBftSk xl49hGAPYLrgASW/3WanDigOU8TvRt30YkCpMZUlyO1l47CT4BJ7hzp/3UNBTHwT W6d4acfxD5P5G9540dXyOlgTUJrg+pYZYyhihdr9jexyUtoO5EQXKARqtoxvqflV AA+KNLLBh1XlYEIaOF8SPSg+F4boADxM=
Received: from mail-wi0-f169.google.com (mail-wi0-f169.google.com [209.85.212.169]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a63.g.dreamhost.com (Postfix) with ESMTPSA id 49D6C2F4057 for <kitten@ietf.org>; Mon, 2 Dec 2013 13:04:51 -0800 (PST)
Received: by mail-wi0-f169.google.com with SMTP id hn6so1070763wib.4 for <kitten@ietf.org>; Mon, 02 Dec 2013 13:04:49 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:date:message-id:subject:from:to:content-type; bh=74A1OFeeGl/mtFAWkImIl8p7SK0YaNpw9e2W+aBhxXI=; b=Ih6Qr+i2rNInKwIldYMIZIJ4d/4yU6emT9rqIR/Qt5SGiZNfpNPd8Ae4wLvhWmZwbg basndwtBtvMowle2Xa3v6qyAwkeYaRw+QEDa5yiZI2bexkPgHpuf8Op7C6gnc10OR1Pn oNKOxuAboqRzb/AiXbPMozBtEl0CKlDHi0e+q+NREcostE1JJz7nn7WP9xRLhKqri8yZ 3uems0Vk3Qu/g40r/67LHFfMRzKuSNbbel3f5S3BP77Ldr6MXoDf6+Cjz9nj+fFNkPlD LoZeKRvcOB3mvrPOBQYIKoKCt8e65hokW5DPgZ0ypx6rrBon8pUg0OMvGd1s2oWkAjI6 c+3Q==
MIME-Version: 1.0
X-Received: by 10.194.171.34 with SMTP id ar2mr13407wjc.81.1386018289478; Mon, 02 Dec 2013 13:04:49 -0800 (PST)
Received: by 10.216.151.136 with HTTP; Mon, 2 Dec 2013 13:04:49 -0800 (PST)
Date: Mon, 02 Dec 2013 15:04:49 -0600
Message-ID: <CAK3OfOgeJW9XoaNYKytKQqeTzjgCE4xNnhhhCyhBzZZ=kJ+o4w@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "kitten@ietf.org" <kitten@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Subject: [kitten] New s2k and exposing the strength (iteration count) part of s2kparams
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 21:04:54 -0000
ISTM that we should: 1) Expose the iteration count of the otherwise-opaque s2k params, and standardize it, renaming it a strength indication and leaving its interpretation as mechanism-specific. I.e., from now on all new enctypes with s2kparams will have theirs start with a four-octet, network byte order unsigned measure of strength. The rationale for this is based on: a) that utilities like ktutil need access to this in some cases (e.g., when KDCs are not reachable) b) KDC-side admin utilities (e.g., kadmin, LDAP clients of an LDAP-based KDB) need to know how to set s2k strenght, otherwise there's no way to ever change the default! c) we need it to be easy to add at least a synthetic strength parameter option in administrative tools d) all new enctypes with s2k functions can be expected to have a reasonable synthetic strength measure e) admins can be expected to understand strength measures for specific enctypes (particularly given how few enctypes/enctype families we'll have that have opaque s2kparams). Enctypes can't be expected to have normalized strength measures though. I.e., a strength of 4096 may mean one thing to one enctype and another to a different enctype. 2) It'd be nice if we could add memory-hard s2k functions. I'm not sure what NIST is prepared to consider here. I guess anything provably not weaker than PBKDF2 should be acceptable, but I'm not sure how to construct such a thing (XOR of two s2ks is not necessarily provably not weaker than either of the s2ks; consider the case where they are the same s2k!). For a memory- and compute-hard s2k the strength measure might be composed of two numbers, one indicating memory strength and the other indicating compute strength. Nico --
- [kitten] New s2k and exposing the strength (itera… Nico Williams
- Re: [kitten] New s2k and exposing the strength (i… Jeffrey Hutzelman
- Re: [kitten] New s2k and exposing the strength (i… Nico Williams