Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums
Simo Sorce <simo@redhat.com> Mon, 25 September 2017 17:03 UTC
Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63BCB1344F0 for <kitten@ietfa.amsl.com>; Mon, 25 Sep 2017 10:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jEuyvwFamQwj for <kitten@ietfa.amsl.com>; Mon, 25 Sep 2017 10:03:13 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B4A91344E6 for <kitten@ietf.org>; Mon, 25 Sep 2017 10:03:13 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0E90C5D689; Mon, 25 Sep 2017 17:03:13 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0E90C5D689
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=simo@redhat.com
Received: from ovpn-117-8.phx2.redhat.com (ovpn-117-8.phx2.redhat.com [10.3.117.8]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B020778212; Mon, 25 Sep 2017 17:03:12 +0000 (UTC)
Message-ID: <1506358991.3211.1.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: kitten@ietf.org
Date: Mon, 25 Sep 2017 13:03:11 -0400
In-Reply-To: <20170923190527.GU96685@kduck.kaduk.org>
References: <x7d1sn5zyl8.fsf@equal-rites.mit.edu> <20170919015937.GN96685@kduck.kaduk.org> <1505920169.1143.15.camel@redhat.com> <20170923190527.GU96685@kduck.kaduk.org>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Mon, 25 Sep 2017 17:03:13 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/rSebIZClAEesPvwYk-pJKsdM0Aw>
Subject: Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2017 17:03:15 -0000
On Sat, 2017-09-23 at 14:05 -0500, Benjamin Kaduk wrote: > On Wed, Sep 20, 2017 at 11:09:29AM -0400, Simo Sorce wrote: > > On Mon, 2017-09-18 at 20:59 -0500, Benjamin Kaduk wrote: > > > On Sun, Sep 17, 2017 at 01:24:51AM -0400, Greg Hudson wrote: > > > > > > > > The potential remedies I can think of fall into these bins: > > > > > > > > 1. Don't change the SPAKE design. Instead, update RFC 3961 to > > > > specify > > > > that new checksum types must be deterministic, and specify that > > > > SPAKE > > > > preauth can't be used with single-DES keys. Aside from the > > > > standards-space cost of pushing our problem down into a lower > > > > layer, the > > > > prohibition against using SPAKE with single-DES keys could make > > > > it > > > > harder for clients to be configured to refuse encrypted > > > > timestamp > > > > preauth on a pre-realm basis. That is perhaps not a large cost > > > > as > > > > Kerberos implementations are moving away from single-DES > > > > support > > > > anyway. > > > > > > > > 2. A relatively quick fix: use PRF instead of checksum. (Or > > > > PRF+, > > > > in > > > > which case we have to decide how much length of output we > > > > want.) I > > > > think PRF has the requisite properties, but I would want to > > > > think > > > > on it > > > > more. > > > > > > This is probably the most appealing option, provided we can > > > accurately > > > state which properties we need (and they are provided by PRF(+)). > > > > Why is this more appealing than just saying no to DES ? > > Do we have any concern we may get future enc types that have non- > > deterministic checksums ? > > There's two aspects that push me this way: first, from a standards process > point of view, now we have to also Update a core protocol spec and hope > that people remember to check our new document whenver they try to make > a new enctype/checksum type. While it's unlikely that a hyptoehtical > future document would actually get through the full process with such an > error, it does add to the burden on future work in this space. The second > concern relates to implementations, in that there will need to be some sort > of logic to handle the interaction of single-DES and SPAKE preauth. If > we were in a place where implementations were actively removing the code > for single-DES support, I would not see this as an issue, but my understanding > is that we're still several years (at least!) away from completely removing > the code (as opposed to just not using it by default). Even though we > know that no one ought to be using the two things together, our code still > has to come up with something to do in that case, and if we get the logic > wrong things could break badly. Why not simply state in the spake document that single-DES MUST NOT be supported ? > > > > 3. We could use a hash (it doesn't need to be keyed) > > > > independent of > > > > RFC > > > > 3961. The hash algorithm could be specified in the group > > > > profile, > > > > perhaps, but I believe the rejected-optimistic-challenge case > > > > poses > > > > a > > > > difficulty for that design. > > > > > > The hash algorithm could also be negotiated independently (so > > > that in > > > practice, e.g., sha256 is always used, at least in the initial > > > deployments). > > > For the rejected-optimistic case there is still an issue, but if > > > the > > > KDC > > > only supports O(2) hash algorithms during a hash transition, then > > > the > > > amount of state needed in the cookie is bounded by a number that > > > might > > > be smaller than the number of supported groups (but then again, > > > might > > > not). > > > > The nice thing about using the enctypes is that as new ones will > > come > > out with new, stronger checksums, we'll get those automatically, > > without adding a new thing to negotiate ... > > That is a good point, about the required checksum being matched in > perceived strength, and that holding as an invariant in the future. > > > > > 4. The most open-ended option is to back up and reconsider the > > > > purpose > > > > of the transcript checksum, which is to bind at least the > > > > public > > > > keys > > > > into key derivation. The current transcript also binds in > > > > group > > > > negotiation and the initial factor challenge. I can't > > > > immediately > > > > think > > > > of an alternative design which doesn't require the KDC to store > > > > a > > > > lot of > > > > information in the cookie. > > > > > > I agree that we are likely to end up with something resembling a > > > "transcript hash", even if it does not directly use a hash > > > primitve. > > > > I have to say that between PRF and a separate Hash I would rather > > use a > > separate hash. > > Hmm, so no we have a split on 2 vs. 3, unless we can somehow make 1 > more > appetizing. Do we have the collective will to make single-DES > actually > go away entirely and force any continued users to either run custom > solutions > or stay on old software? I say that if you are on old software you have bigger problems to deal with than not being able to use SPAKE, and having SPAKE actively disallow a knowingly broken enctype is not a bad thing at all. It gives you one more lever to get off of DES. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Robbie Harwood
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- [kitten] SPAKE and non-deterministic RFC 3961 che… Greg Hudson
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Simo Sorce
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Simo Sorce
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk