Re: [kitten] Question about AES mode in Kerberos
Greg Hudson <ghudson@mit.edu> Mon, 09 January 2023 22:55 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25788C14CEE5 for <kitten@ietfa.amsl.com>; Mon, 9 Jan 2023 14:55:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDVIjUnGqmxf for <kitten@ietfa.amsl.com>; Mon, 9 Jan 2023 14:55:31 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD5F1C14CEE4 for <kitten@ietf.org>; Mon, 9 Jan 2023 14:55:30 -0800 (PST)
Received: from [18.30.133.68] ([18.30.133.68]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 309MtOpI001041 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 9 Jan 2023 17:55:27 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1673304928; bh=JYxqloM2zhv7oU+30Ee4FWWFaoHmX0s+h5N0Zyh4LX8=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=pCBc7WzBRBKX7oIvI1FAm6vjgIQzJ31kRo8DDsRO7MfZc7zbCSLCLef1TRJtAXVAT t8fJAvMcaPiu+Afot60DHnM1nD+P54GN6UB01YyrePJD/57wETCl276Jt2ZDtg/ptZ MhxT5yGphOgyEwJpg8GVP67UsEx9j+gCUtyBUBSqwwLaIdjTG5tlI1X1yX0CuJDEna 7UQI/aimE4vjzQd0+fv0AvU7zEpZ3wH7V1nchRSarpZm6LidNpVNbTSTebP4VLwDPz nuzp4fQD4pgFB2BsAigD0LebMLS6jV1jAAKd7eb09ouODy/UTqTj9M7bJsIYcXdz7I mBThDkS1d2bqg==
Message-ID: <9bf334b8-cdde-b5a2-608f-6dbb4a353aa2@mit.edu>
Date: Mon, 09 Jan 2023 17:55:24 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
Content-Language: en-US
To: Olga Kornievskaia <aglo@umich.edu>
Cc: Luke Howard Bentata <lukeh=40padl.com@dmarc.ietf.org>, "kitten@ietf.org" <kitten@ietf.org>
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <7B46A5A4-4415-4627-B964-44F2516D84FE@padl.com> <9464B1FF-6784-4D59-A4F6-1B5D58C2B94F@padl.com> <CAN-5tyE4eau116TkDLbvn+pTOjK_C+WEvi9SnUELr+4riTpZcw@mail.gmail.com> <cb3ff38f-7e62-0711-9a6c-50a96b571e2d@mit.edu> <CAN-5tyFA41VMz_3tBmh+FeefBBJOxfi1AoUCqUkRHR3z43qrKg@mail.gmail.com>
From: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <CAN-5tyFA41VMz_3tBmh+FeefBBJOxfi1AoUCqUkRHR3z43qrKg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/vJNSVM9mno7HyfzR7hn5gglGbQM>
Subject: Re: [kitten] Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2023 22:55:35 -0000
On 1/9/23 15:25, Olga Kornievskaia wrote: > May I ask a stupid question? Is there something inherently different > about nonce handling/producing in Kerberos that's different from TLS? The symmetric encryption facilities in TLS are in service only to the channel protocol. TLS is regularly used to carry large amounts of data in a variety of application protocols. The symmetric encryption facilities in Kerberos are in service primarily to the stateless authentication protocol, which uses long-term keys. Kerberos channel protocols exist (KRB-PRIV and GSS), using the same encryption facilities, but they are used less widely than the authentication protocol and much less widely than TLS. It is possible to use different encryption facilities in the gss-krb5 channel protocol from the ones used in the authentication protocol; Luke's work does this and there is historical precedent with older encryption types. But doing so adds complexity, and therefore risk. > TLS community seems to have chosen AES-GCM as their AES mode and do > acknowledge that nonce-reuse would lead to catastrophic failures. This has not been completely uncontroversial or without consequence. Some implementations of GCM in TLS 1.2 have apparently been vulnerable to nonce reuse attacks; I found https://www.usenix.org/sites/default/files/conference/protected-files/woot16_slides_bock.pdf with a quick search. See also https://www.metzdowd.com/pipermail/cryptography/2023-January/038092.html . > I'm not sure what kind of conclusions I should draw from the > statement: "The enctype can't fit within the RFC 3961 framework (I > believe) because it requires nonce information from an upper layer." > But say NFS wanted AES-GCM it would need to negotiated it with RFC > 4537 (support for this is btw I'm not sure is implemented in an MIT > library, correct?), but to do so there needs to an IANA enctype for it > (like aes128-gcm-hmac-sha256-128, aes256-gcm-hmac-sha384-192) which > there isn't one? But there are IANA numbers for AEAD_AES_128_GCM_SIV, > AEAD_AES_256_GCM_SIV? Also, you note that mixed different security > properties is problematic. I apologize for the confusion here. I was not saying that AES-GCM couldn't be used within the RFC 3961 framework for lack of a number assignment. RFC 3961 defines a framework for encryption and checksum types for use in the Kerberos protocol. This framework does not include nonce input from the upper layer; encryption types using nonces or IVs are expected to generate them internally, typically randomly. AES-GCM is not very suitable for use as an RFC 3961 encryption type for this reason. AES-GCM-SIV is more suitable, because the enctype could use a random nonce and an accidental nonce reuse after many encryptions would not compromise the long-term key. A GSS channel protocol using AES-GCM can be defined outside of the RFC 3961 framework. However, negotiating this protocol using RFC 4537 would require a registering an RFC 3961 enctype number corresponding to the new channel protocol. Such a registration carries the risk of implementations adding the new enctype within their RFC 3961 libraries and accidentally allowing it to be used in the authentication protocol. This kind of mistake has happened many times within the security software space--every Kerberos implementation has had CVEs resulting from the mixture of keyed and unkeyed hashes within the RFC 3961 checksum registry, and similar problems have resulted from the mixture of symmetric and asymmetric signing algorithms in JWT. It would be possible to use a separate negotiation mechanism (as Luke pointed out in his response to my concerns), although that would carry its own complexity cost. > I have no performance claims about AES-GCM over AES-CBC except for > what I've read from the web. Statements such as that because each > block can be processed individually (in parallel) that it "can" allow > for better performance over AES-CBC. I can see that an implementation > can code it up serially and then no performance gains will be had. > Also, perhaps the performance gains are very small even when > implemented in parallel and that would be useful to know. It is easy to find measurements of maximum AES-GCM speed exceeding maximum AES-CBC speed as cryptographic primitives in isolation. Once one adds the encumbrance of a Kerberos application running over a network, this difference might disappear into the noise. > My quest was simply trying to understand why TLS has decided on GCM > (which seem to be more performant, according to some) and Kerberos did > not. All of this in hopes of improving NFS over Kerberos performance. There may be a reasonable justification for adopting Luke's AES-GCM work on the basis of NFS performance, but in my opinion a lot of footwork is required to show that meaningful increased performance is achievable in this way. And even then there is a legitimate question of whether the performance benefit for this application is worth the increased complexity within Kerberos implementations, and the risk of nonce reuse vulnerabilities due to specification or implementation errors.
- [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Paul Miller (NT)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Ken Hornstein
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata