Re: [kitten] Question about AES mode in Kerberos
Olga Kornievskaia <aglo@umich.edu> Wed, 11 January 2023 16:34 UTC
Return-Path: <olga.kornievskaia@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F4D3C15949A for <kitten@ietfa.amsl.com>; Wed, 11 Jan 2023 08:34:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.65
X-Spam-Level:
X-Spam-Status: No, score=-6.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KWGIXd9M1CPg for <kitten@ietfa.amsl.com>; Wed, 11 Jan 2023 08:34:49 -0800 (PST)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F411AC15C526 for <kitten@ietf.org>; Wed, 11 Jan 2023 08:34:41 -0800 (PST)
Received: by mail-pl1-x632.google.com with SMTP id y1so17348961plb.2 for <kitten@ietf.org>; Wed, 11 Jan 2023 08:34:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VY/UVYSmWNrzGT5ELYdUimn5LRXZEAsoErEaBD+ty6E=; b=oHeCLUv7l3MHneXs4ntkjaZ9yWcGTfz/PGKgJFjfGva/B3N9s+NEGBBLG3DIfi8su9 OpG9jWUmGZ6pg8255gCqK3w6w9SzOl0OeVkto9CstfhmMuu1bpmCvcWO53XGnJI6ZZGs OZVUAafPgndwwBFDL81zeRKEPPp0TEhkb4pY+l6vrz1LgKg3L3ho0PgdS8o+mA28NoQH 1nJS9jXaWzDD/NCmLIfa0Lp2X27y09arvcs529o5S3Znc5Bx6JXX3Q+ZRmtsDEi3UftN 9csxZ8nqk/SmVM1omDVgEEJ50yGfg1VlLROOS0Dya2SST1/A89j4GDx3juKij+yHSEYI vEeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VY/UVYSmWNrzGT5ELYdUimn5LRXZEAsoErEaBD+ty6E=; b=o1+gd8QzfQyCoGhk2uf09hLU71TXwnnu0srmp09tP8EkaI//Z8dHzJXPxoAn7E0Q69 w4PkGe/tWyfrHedynZZhm0Wy3fc5thuXHejEt27yqDVGjufiDJMCXMgzKy414GPKKAfL NMODMnPjq/q9vppUSPnmpxXQeiNKXA41a8sbWKPyRmH0UiUw/KwAqe1m8FmIwcKgGfT8 N+t3beY3c2dXFxPG/OFN4oV3wpCntfUjlKksXTn/Xtu/lHDBEhDhF5AuRd2nsbA5XUuc VRVUrJW37aMOtkAVpOFQSxKV/n40wD3A0LMKT6GQz2IEgaIDbSml8W1t06w1y9pxLfiS hiQQ==
X-Gm-Message-State: AFqh2kp6IYBNipmZtmRmFhAo1Ene0UjrBnwhTU7nQ/WxDo8X3pwFGz6k 29xeRO3lI7tQm5VdFPoEXM2MskNhS+tDJ17e9G1nnSzL
X-Google-Smtp-Source: AMrXdXsiJlHcLy3CRCEgvfcvbYmPX/KD8XrMR+x/sMipinF4LMl0uiQ+UR0ssXmwCM/sc6+XLsU870jNOVVhyY3c+qk=
X-Received: by 2002:a17:903:2451:b0:193:2364:468b with SMTP id l17-20020a170903245100b001932364468bmr1155948pls.97.1673454881037; Wed, 11 Jan 2023 08:34:41 -0800 (PST)
MIME-Version: 1.0
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <7B46A5A4-4415-4627-B964-44F2516D84FE@padl.com> <9464B1FF-6784-4D59-A4F6-1B5D58C2B94F@padl.com> <CAN-5tyE4eau116TkDLbvn+pTOjK_C+WEvi9SnUELr+4riTpZcw@mail.gmail.com> <cb3ff38f-7e62-0711-9a6c-50a96b571e2d@mit.edu> <CAN-5tyFA41VMz_3tBmh+FeefBBJOxfi1AoUCqUkRHR3z43qrKg@mail.gmail.com> <9bf334b8-cdde-b5a2-608f-6dbb4a353aa2@mit.edu>
In-Reply-To: <9bf334b8-cdde-b5a2-608f-6dbb4a353aa2@mit.edu>
From: Olga Kornievskaia <aglo@umich.edu>
Date: Wed, 11 Jan 2023 11:34:29 -0500
Message-ID: <CAN-5tyGd2r93qX5UfOExhoF6fY1SmFWdUYnm+YFgFP19_DHkUw@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: Luke Howard Bentata <lukeh=40padl.com@dmarc.ietf.org>, "kitten@ietf.org" <kitten@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/s2eaVRYWvUVDAez9maNuv5AwbGg>
Subject: Re: [kitten] Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2023 16:34:54 -0000
Thank you Greg for all the information. While I can't claim to understand all the details, I now have a much better understanding of the AES-GCM's place in the Kerberos world. On Mon, Jan 9, 2023 at 5:55 PM Greg Hudson <ghudson@mit.edu> wrote: > > On 1/9/23 15:25, Olga Kornievskaia wrote: > > May I ask a stupid question? Is there something inherently different > > about nonce handling/producing in Kerberos that's different from TLS? > > The symmetric encryption facilities in TLS are in service only to the > channel protocol. TLS is regularly used to carry large amounts of data > in a variety of application protocols. > > The symmetric encryption facilities in Kerberos are in service primarily > to the stateless authentication protocol, which uses long-term keys. > Kerberos channel protocols exist (KRB-PRIV and GSS), using the same > encryption facilities, but they are used less widely than the > authentication protocol and much less widely than TLS. > > It is possible to use different encryption facilities in the gss-krb5 > channel protocol from the ones used in the authentication protocol; > Luke's work does this and there is historical precedent with older > encryption types. But doing so adds complexity, and therefore risk. > > > TLS community seems to have chosen AES-GCM as their AES mode and do > > acknowledge that nonce-reuse would lead to catastrophic failures. > > This has not been completely uncontroversial or without consequence. > Some implementations of GCM in TLS 1.2 have apparently been vulnerable > to nonce reuse attacks; I found > https://www.usenix.org/sites/default/files/conference/protected-files/woot16_slides_bock.pdf > with a quick search. See also > https://www.metzdowd.com/pipermail/cryptography/2023-January/038092.html . > > > I'm not sure what kind of conclusions I should draw from the > > statement: "The enctype can't fit within the RFC 3961 framework (I > > believe) because it requires nonce information from an upper layer." > > But say NFS wanted AES-GCM it would need to negotiated it with RFC > > 4537 (support for this is btw I'm not sure is implemented in an MIT > > library, correct?), but to do so there needs to an IANA enctype for it > > (like aes128-gcm-hmac-sha256-128, aes256-gcm-hmac-sha384-192) which > > there isn't one? But there are IANA numbers for AEAD_AES_128_GCM_SIV, > > AEAD_AES_256_GCM_SIV? Also, you note that mixed different security > > properties is problematic. > > I apologize for the confusion here. I was not saying that AES-GCM > couldn't be used within the RFC 3961 framework for lack of a number > assignment. > > RFC 3961 defines a framework for encryption and checksum types for use > in the Kerberos protocol. This framework does not include nonce input > from the upper layer; encryption types using nonces or IVs are expected > to generate them internally, typically randomly. AES-GCM is not very > suitable for use as an RFC 3961 encryption type for this reason. > AES-GCM-SIV is more suitable, because the enctype could use a random > nonce and an accidental nonce reuse after many encryptions would not > compromise the long-term key. > > A GSS channel protocol using AES-GCM can be defined outside of the RFC > 3961 framework. However, negotiating this protocol using RFC 4537 would > require a registering an RFC 3961 enctype number corresponding to the > new channel protocol. Such a registration carries the risk of > implementations adding the new enctype within their RFC 3961 libraries > and accidentally allowing it to be used in the authentication protocol. > This kind of mistake has happened many times within the security > software space--every Kerberos implementation has had CVEs resulting > from the mixture of keyed and unkeyed hashes within the RFC 3961 > checksum registry, and similar problems have resulted from the mixture > of symmetric and asymmetric signing algorithms in JWT. > > It would be possible to use a separate negotiation mechanism (as Luke > pointed out in his response to my concerns), although that would carry > its own complexity cost. > > > I have no performance claims about AES-GCM over AES-CBC except for > > what I've read from the web. Statements such as that because each > > block can be processed individually (in parallel) that it "can" allow > > for better performance over AES-CBC. I can see that an implementation > > can code it up serially and then no performance gains will be had. > > Also, perhaps the performance gains are very small even when > > implemented in parallel and that would be useful to know. > > It is easy to find measurements of maximum AES-GCM speed exceeding > maximum AES-CBC speed as cryptographic primitives in isolation. Once > one adds the encumbrance of a Kerberos application running over a > network, this difference might disappear into the noise. > > > My quest was simply trying to understand why TLS has decided on GCM > > (which seem to be more performant, according to some) and Kerberos did > > not. All of this in hopes of improving NFS over Kerberos performance. > > There may be a reasonable justification for adopting Luke's AES-GCM work > on the basis of NFS performance, but in my opinion a lot of footwork is > required to show that meaningful increased performance is achievable in > this way. And even then there is a legitimate question of whether the > performance benefit for this application is worth the increased > complexity within Kerberos implementations, and the risk of nonce reuse > vulnerabilities due to specification or implementation errors.
- [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Paul Miller (NT)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Ken Hornstein
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata