Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums

"Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu> Sat, 30 September 2017 09:05 UTC

Return-Path: <hbhotz@oxy.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C3B51326F6 for <kitten@ietfa.amsl.com>; Sat, 30 Sep 2017 02:05:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.534
X-Spam-Level:
X-Spam-Status: No, score=-3.534 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a0DnE2dyU2Vp for <kitten@ietfa.amsl.com>; Sat, 30 Sep 2017 02:05:34 -0700 (PDT)
Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A2D21326ED for <kitten@ietf.org>; Sat, 30 Sep 2017 02:05:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id D32AA2BC35; Sat, 30 Sep 2017 09:05:31 +0000 (UTC)
Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo02-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UGEXOg-5gGa9; Sat, 30 Sep 2017 09:05:31 +0000 (UTC)
Received: from macbook-air-2.lan (66-215-86-135.dhcp.psdn.ca.charter.com [66.215.86.135]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id B04642BBF7; Sat, 30 Sep 2017 09:05:26 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
In-Reply-To: <20170928022127.GF96685@kduck.kaduk.org>
Date: Sat, 30 Sep 2017 02:05:25 -0700
Cc: Simo Sorce <simo@redhat.com>, kitten@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <8CDF104A-0D83-4B46-9016-E8ECA6F581D3@oxy.edu>
References: <x7d1sn5zyl8.fsf@equal-rites.mit.edu> <20170919015937.GN96685@kduck.kaduk.org> <1505920169.1143.15.camel@redhat.com> <20170923190527.GU96685@kduck.kaduk.org> <1506358991.3211.1.camel@redhat.com> <20170926022550.GZ96685@kduck.kaduk.org> <B9ED4047-4BAF-4F58-A4CF-5CE420371BB7@oxy.edu> <20170928022127.GF96685@kduck.kaduk.org>
To: Benjamin Kaduk <kaduk@MIT.EDU>
X-Mailer: Apple Mail (2.2104)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/vUQ3hZ4dBCQtMP66yNTh4Etm5KI>
Subject: Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Sep 2017 09:05:35 -0000

> On Sep 27, 2017, at 7:21 PM, Benjamin Kaduk <kaduk@MIT.EDU>; wrote:
> 
> On Mon, Sep 25, 2017 at 10:04:15PM -0700, Henry B (Hank) Hotz, CISSP wrote:
>> 
>>> On Sep 25, 2017, at 7:25 PM, Benjamin Kaduk <kaduk@MIT.EDU>; wrote:
>>> 
>>> That said, Greg noted on IRC that if we do have a "no DES and SPAKE
>>> together" requirement, the KDC knows the initial reply key and can
>>> do the right thing fairly easiliy, including rejecting optimistic
>>> attempts from (broken) clients.  So, I'm starting to come around to
>>> the camp of "prevent SPAKE with 1DES, and require all future mandatory
>>> checksum types to be deterministic".  (Possibly all future checksum
>>> types entirely, but that may be too aggressive.)
>> 
>> Do we really have that many single-des deployments to worry about anymore? Everything I know of, including AFS and AD/Windows, has better alternatives available and just waiting to be turned on. Surely nobody is still using JGSS in Java 1.4.
> 
> As I understand it, there is not much (any?) modern software that strictly
> requires single-DES, but there are also many sites where the effort to
> upgrade has not been expended.  Even in ATHENA.MIT.EDU, we have cross-realm
> keys that are actively used (albeit not for terribly critical functionality)
> that remain single-DES because of the logistical challenges involved in
> getting both KDC administrators in contact and with a trusted channel.
> 
> -Ben

I know that kind of thing can be much harder than it seems it should. OTOH, do you think that difficulty (as a specific example) should prevent us from stipulating "no 1des with SPAKEā€?

Personal email.  hbhotz@oxy.edu