[kitten] Eric Rescorla's No Objection on draft-ietf-kitten-pkinit-alg-agility-06: (with COMMENT)
Eric Rescorla via Datatracker <noreply@ietf.org> Thu, 14 March 2019 03:40 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: kitten@ietf.org
Delivered-To: kitten@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0627013127F; Wed, 13 Mar 2019 20:40:12 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Eric Rescorla via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-kitten-pkinit-alg-agility@ietf.org, Robbie Harwood <rharwood@redhat.com>, kitten-chairs@ietf.org, rharwood@redhat.com, kitten@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.94.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <155253481198.24861.15849658500473174931.idtracker@ietfa.amsl.com>
Date: Wed, 13 Mar 2019 20:40:11 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/rrVIYpj_njorSWqnEXgkMRjLndw>
Subject: [kitten] Eric Rescorla's No Objection on draft-ietf-kitten-pkinit-alg-agility-06: (with COMMENT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2019 03:40:12 -0000
Eric Rescorla has entered the following ballot position for draft-ietf-kitten-pkinit-alg-agility-06: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-kitten-pkinit-alg-agility/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- IMPORTANT I think this document would benefit greatly from describing the downgrade properties of each of the axes on which algorithms can be negotiated against various forms of compromise in the digest function. The relevant case is one in which the client and KDC both support one weak and one strong algorithm. Can the attacker either (1) force them to complete a handshake with a weak algorithm or (2) convince one side that the other side supports a weak algorithm and then interpose itself as that side. Specifically it would be useful to know which attacks are possible with a collision attack versus a preimage attack (though this can sometimes be hard to know). Here is one case of a potential real downgrade attack (though not a very powerful one). The client sends a KRB-REQ signed with algorithm A, the attacker forges KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED listing anly some weaker algorithm. This causes the client to retry with that weaker algorithm. Is this attack detectable? It's not clear to me how (though it maybe could be if the message were folded into the transcript). OTOH, I don't think that the equivalent attack on the cert signer algorithms is necessarily very useful because presumably the certs are public already. OTOH, it might force the client into using some weaker key. I'm having a little trouble following the point in S 3. Is the idea that the paChecksum is always SHA-1 and you don't add a way to negotiate it, so you are instead folding the information into the KDF? If so, I think we need to work through the chain of logic here. As I understand it, the paRequest is included in the AuthPack, which is signed. So presumably the idea is that the AuthPack is signed with SHA-256 but because paChecksum is SHA-1, the binding is weak, right? But can you safely send a SHA-256 signature to a KDC which you have never talked to before? Can't you just get downgraded by the attack I describe above? Can you help unpack this for me? MINOR I wish you were using HKDF, but I don't think this is a dealbreaker.
- [kitten] Eric Rescorla's No Objection on draft-ie… Eric Rescorla via Datatracker
- Re: [kitten] Eric Rescorla's No Objection on draf… Robbie Harwood