[kitten] SPAKE preauth behavior on wrong password
Greg Hudson <ghudson@mit.edu> Tue, 03 October 2017 15:16 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11B3D134DCF for <kitten@ietfa.amsl.com>; Tue, 3 Oct 2017 08:16:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.521
X-Spam-Level:
X-Spam-Status: No, score=-1.521 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9bLOExL_0O0 for <kitten@ietfa.amsl.com>; Tue, 3 Oct 2017 08:16:28 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CC76133341 for <kitten@ietf.org>; Tue, 3 Oct 2017 08:10:02 -0700 (PDT)
X-AuditID: 12074422-45dff700000024ab-f0-59d3a84a7a05
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id E3.74.09387.A48A3D95; Tue, 3 Oct 2017 11:10:02 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v93FA10C001536 for <kitten@ietf.org>; Tue, 3 Oct 2017 11:10:01 -0400
Received: from localhost (EQUAL-RITES.MIT.EDU [10.18.1.59]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v93FA0cZ000798 for <kitten@ietf.org>; Tue, 3 Oct 2017 11:10:01 -0400
From: Greg Hudson <ghudson@mit.edu>
To: kitten@ietf.org
Date: Tue, 03 Oct 2017 11:10:00 -0400
Message-ID: <x7dy3osw9mf.fsf@equal-rites.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEIsWRmVeSWpSXmKPExsUixG6nouu14nKkwcl/zBZHN69icWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxr9XX5kKWqUrbv08wtLA+FG0i5GTQ0LARKLj5yTWLkYuDiGB xUwSH24+YIJwjjFKnFuyjhWkSkignUnizckcEJtNQFli/f6tLCC2iICwxO6t75hBbGEBQ4k7 u54xgdgsAqoSs15OBKvhBYpfal/DBGELSpyc+QQsziwgIXHwxQvmCYzcs5CkZiFJLWBkWsUo m5JbpZubmJlTnJqsW5ycmJeXWqRrqpebWaKXmlK6iREcBC5KOxgn/vM6xCjAwajEw3tjwuVI IdbEsuLK3EOMkhxMSqK8r5cBhfiS8lMqMxKLM+KLSnNSiw8xSnAwK4nw/l4MlONNSaysSi3K h0lJc7AoifNuC9oVKSSQnliSmp2aWpBaBJOV4eBQkuBdthyoUbAoNT21Ii0zpwQhzcTBCTKc B2g4B0gNb3FBYm5xZjpE/hSjpJQ471OQiwRAEhmleXC9rxjFgV4Q5hUBaeMBRjRc1yuggUxA A+d0XQAZWJKIkJJqYExQ7WO+1PaSseDKNa4ZBhITnz2aKX7lm/qhm5G8LtNC3VIvGu47GnV4 Xt0Si7Tusky1Bekl/smvyq9Nee5/M02oz/b277ddXg6HWR3NVfz5GYOys+eFFt9IrOYN6V+r Jh3fu89Yv7pj7m+h11t7WdnSuJb0sXlVOPT2WLcavr70qJWTS3qhEktxRqKhFnNRcSIA42K/ VqUCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/uB3zyxjkl2ndEtSyhJI0y-mDkFE>
Subject: [kitten] SPAKE preauth behavior on wrong password
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Oct 2017 15:16:36 -0000
In SPAKE preauth, the client sends a key confirmation in the
SPAKEResponse message in the form of an encrypted SPAKESecondFacter
message, using a derived key. If decryption succeeds, the client used
the correct initial reply key. If it fails, the client probably used
the wrong initial reply key, which may have resulted from the user
entering the wrong password. (Less likely possibilities include parts
of the AS exchange being altered in flight, or an interoperability bug.)
The SPAKE draft currently says:
If decryption is successful, the first factor is successfully
validated. The KDC then validates the second factor. If either
factor fails to validate, the KDC SHOULD respond with an appropriate
KRB-ERROR message.
I think "an appropriate KRB-ERROR message" is probably too vague, and we
should specify what error code to use. That error code should probably
be KDC_ERR_PREAUTH_FAILED, per RFC 4120 section 3.1.3 and RFC 6113
section 2. The draft also doesn't say what should be done in the second
pass if the KDC doesn't support any of the client's groups.
RFC 6113 section 2 encourages clients to continue trying to
pre-authenticate after a PREAUTH_FAILED error, either using METHOD-DATA
included in the error or by sending an unauthenticated reques to get
METHOD-DATA. In context, the motivation for that recommendation may be
optimistic preauth (the client might try to do opstimistic encrypted
timestamp using the wrong salt, for instance), but that recommendation
is also important if a multi-hop mechanism can fail to negotiate
parameters. For instance, a client might send a SPAKESupport message
and get back a PREAUTH_FAILED error because the KDC doesn't support any
of the groups it offers.
Following this recommendation has an unfortunate result when the wrong
password is entered: the client will self-downgrade to encrypted
timestamp (if the KDC offered it and the client allows it), unless it
has specific logic not to try encrypted timestamp after a PREAUTH_FAILED
reply to a SPAKEResponse message which used SF-NONE. A passive attacker
could then mount an offline dictionary attack against the wrong
password; from the incorrect password it might only take a few guesses
to find the correct one. I think we just want to make a note of this in
the security considerations.
I therefore propose the following updates:
* In the "Second Pass" subsection, after "... the KDC MAY select another
group in hopes that the client might support it", add "Otherwise, the
KDC MUST respond with a KDC_ERR_PREAUTH_FAILED error."
* Change "SHOULD respond with an appropriate KRB-ERROR message" to
"SHOULD respond with a KDC_ERR_PREAUTH_FAILED error".
* In security considerations in the "Dictionary Attacks" subsection, add
a second paragraph (after the one describing an active downgrade
attack):
If the user enters the wrong password, the client may fall back to
encrypted timestamp after receiving a KDC_ERR_PREAUTH_FAILED error
from the KDC, if encrypted timestamp is offered by the KDC and not
disabled by client configuration. This fallback will enable a
passive attacker to mount an offline dictionary attack against the
incorrect password. Client implementations MAY assume that encrypted
timestamp is unlikely to succeed if SPAKE pre-authentication fails
in the second pass and no second factor was used.
- [kitten] SPAKE preauth behavior on wrong password Greg Hudson
- Re: [kitten] SPAKE preauth behavior on wrong pass… Robbie Harwood
- Re: [kitten] SPAKE preauth behavior on wrong pass… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE preauth behavior on wrong pass… Greg Hudson
- Re: [kitten] SPAKE preauth behavior on wrong pass… Robbie Harwood
- Re: [kitten] SPAKE preauth behavior on wrong pass… Benjamin Kaduk
- Re: [kitten] SPAKE preauth behavior on wrong pass… Henry B (Hank) Hotz, CISSP