[kitten] SPAKE preauth behavior on wrong password
Greg Hudson <ghudson@mit.edu> Tue, 03 October 2017 15:16 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11B3D134DCF for <kitten@ietfa.amsl.com>; Tue, 3 Oct 2017 08:16:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.521
X-Spam-Level:
X-Spam-Status: No, score=-1.521 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9bLOExL_0O0 for <kitten@ietfa.amsl.com>; Tue, 3 Oct 2017 08:16:28 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CC76133341 for <kitten@ietf.org>; Tue, 3 Oct 2017 08:10:02 -0700 (PDT)
X-AuditID: 12074422-45dff700000024ab-f0-59d3a84a7a05
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id E3.74.09387.A48A3D95; Tue, 3 Oct 2017 11:10:02 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v93FA10C001536 for <kitten@ietf.org>; Tue, 3 Oct 2017 11:10:01 -0400
Received: from localhost (EQUAL-RITES.MIT.EDU [10.18.1.59]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v93FA0cZ000798 for <kitten@ietf.org>; Tue, 3 Oct 2017 11:10:01 -0400
From: Greg Hudson <ghudson@mit.edu>
To: kitten@ietf.org
Date: Tue, 03 Oct 2017 11:10:00 -0400
Message-ID: <x7dy3osw9mf.fsf@equal-rites.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEIsWRmVeSWpSXmKPExsUixG6nouu14nKkwcl/zBZHN69icWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxr9XX5kKWqUrbv08wtLA+FG0i5GTQ0LARKLj5yTWLkYuDiGB xUwSH24+YIJwjjFKnFuyjhWkSkignUnizckcEJtNQFli/f6tLCC2iICwxO6t75hBbGEBQ4k7 u54xgdgsAqoSs15OBKvhBYpfal/DBGELSpyc+QQsziwgIXHwxQvmCYzcs5CkZiFJLWBkWsUo m5JbpZubmJlTnJqsW5ycmJeXWqRrqpebWaKXmlK6iREcBC5KOxgn/vM6xCjAwajEw3tjwuVI IdbEsuLK3EOMkhxMSqK8r5cBhfiS8lMqMxKLM+KLSnNSiw8xSnAwK4nw/l4MlONNSaysSi3K h0lJc7AoifNuC9oVKSSQnliSmp2aWpBaBJOV4eBQkuBdthyoUbAoNT21Ii0zpwQhzcTBCTKc B2g4B0gNb3FBYm5xZjpE/hSjpJQ471OQiwRAEhmleXC9rxjFgV4Q5hUBaeMBRjRc1yuggUxA A+d0XQAZWJKIkJJqYExQ7WO+1PaSseDKNa4ZBhITnz2aKX7lm/qhm5G8LtNC3VIvGu47GnV4 Xt0Si7Tusky1Bekl/smvyq9Nee5/M02oz/b277ddXg6HWR3NVfz5GYOys+eFFt9IrOYN6V+r Jh3fu89Yv7pj7m+h11t7WdnSuJb0sXlVOPT2WLcavr70qJWTS3qhEktxRqKhFnNRcSIA42K/ VqUCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/uB3zyxjkl2ndEtSyhJI0y-mDkFE>
Subject: [kitten] SPAKE preauth behavior on wrong password
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Oct 2017 15:16:36 -0000
In SPAKE preauth, the client sends a key confirmation in the SPAKEResponse message in the form of an encrypted SPAKESecondFacter message, using a derived key. If decryption succeeds, the client used the correct initial reply key. If it fails, the client probably used the wrong initial reply key, which may have resulted from the user entering the wrong password. (Less likely possibilities include parts of the AS exchange being altered in flight, or an interoperability bug.) The SPAKE draft currently says: If decryption is successful, the first factor is successfully validated. The KDC then validates the second factor. If either factor fails to validate, the KDC SHOULD respond with an appropriate KRB-ERROR message. I think "an appropriate KRB-ERROR message" is probably too vague, and we should specify what error code to use. That error code should probably be KDC_ERR_PREAUTH_FAILED, per RFC 4120 section 3.1.3 and RFC 6113 section 2. The draft also doesn't say what should be done in the second pass if the KDC doesn't support any of the client's groups. RFC 6113 section 2 encourages clients to continue trying to pre-authenticate after a PREAUTH_FAILED error, either using METHOD-DATA included in the error or by sending an unauthenticated reques to get METHOD-DATA. In context, the motivation for that recommendation may be optimistic preauth (the client might try to do opstimistic encrypted timestamp using the wrong salt, for instance), but that recommendation is also important if a multi-hop mechanism can fail to negotiate parameters. For instance, a client might send a SPAKESupport message and get back a PREAUTH_FAILED error because the KDC doesn't support any of the groups it offers. Following this recommendation has an unfortunate result when the wrong password is entered: the client will self-downgrade to encrypted timestamp (if the KDC offered it and the client allows it), unless it has specific logic not to try encrypted timestamp after a PREAUTH_FAILED reply to a SPAKEResponse message which used SF-NONE. A passive attacker could then mount an offline dictionary attack against the wrong password; from the incorrect password it might only take a few guesses to find the correct one. I think we just want to make a note of this in the security considerations. I therefore propose the following updates: * In the "Second Pass" subsection, after "... the KDC MAY select another group in hopes that the client might support it", add "Otherwise, the KDC MUST respond with a KDC_ERR_PREAUTH_FAILED error." * Change "SHOULD respond with an appropriate KRB-ERROR message" to "SHOULD respond with a KDC_ERR_PREAUTH_FAILED error". * In security considerations in the "Dictionary Attacks" subsection, add a second paragraph (after the one describing an active downgrade attack): If the user enters the wrong password, the client may fall back to encrypted timestamp after receiving a KDC_ERR_PREAUTH_FAILED error from the KDC, if encrypted timestamp is offered by the KDC and not disabled by client configuration. This fallback will enable a passive attacker to mount an offline dictionary attack against the incorrect password. Client implementations MAY assume that encrypted timestamp is unlikely to succeed if SPAKE pre-authentication fails in the second pass and no second factor was used.
- [kitten] SPAKE preauth behavior on wrong password Greg Hudson
- Re: [kitten] SPAKE preauth behavior on wrong pass… Robbie Harwood
- Re: [kitten] SPAKE preauth behavior on wrong pass… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE preauth behavior on wrong pass… Greg Hudson
- Re: [kitten] SPAKE preauth behavior on wrong pass… Robbie Harwood
- Re: [kitten] SPAKE preauth behavior on wrong pass… Benjamin Kaduk
- Re: [kitten] SPAKE preauth behavior on wrong pass… Henry B (Hank) Hotz, CISSP