Re: [kitten] [Emu] Right place for ABFAB ephemeral keying
Josh Howlett <Josh.Howlett@ja.net> Thu, 28 November 2013 11:52 UTC
Return-Path: <Josh.Howlett@ja.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A20DF1AE0D1; Thu, 28 Nov 2013 03:52:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dueuhi522cT3; Thu, 28 Nov 2013 03:52:21 -0800 (PST)
Received: from har003676.ukerna.ac.uk (har003676.ukerna.ac.uk [194.82.140.75]) by ietfa.amsl.com (Postfix) with ESMTP id 907CF1AE0CF; Thu, 28 Nov 2013 03:52:21 -0800 (PST)
Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 0A5544A6BA0_2972E74B; Thu, 28 Nov 2013 11:52:20 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "staffmail.ja.net", Issuer "TERENA SSL CA" (verified OK)) by har003676.ukerna.ac.uk (Sophos Email Appliance) with ESMTPS id A21944A6B1C_2972E72F; Thu, 28 Nov 2013 11:52:18 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.03.0123.003; Thu, 28 Nov 2013 11:52:18 +0000
From: Josh Howlett <Josh.Howlett@ja.net>
To: Sam Hartman <hartmans-ietf@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>, "emu@ietf.org" <emu@ietf.org>, "abfab@ietf.org" <abfab@ietf.org>
Thread-Topic: [Emu] Right place for ABFAB ephemeral keying
Thread-Index: AQHO4jAYN1MIKnIBekG46BO4ULt9e5o6nCiA
Date: Thu, 28 Nov 2013 11:52:17 +0000
Message-ID: <CEBCD320.11DD1%Josh.Howlett@ja.net>
In-Reply-To: <tsly54pjzeq.fsf@mit.edu>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.8.130913
x-originating-ip: [194.82.140.76]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <8687A9390B2F9F429FD8BEC1958F0720@ukerna.ac.uk>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [kitten] [Emu] Right place for ABFAB ephemeral keying
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2013 11:52:24 -0000
Sam, I agree with your conclusion. There are example of lower layers using EAP-based ephemeral keying, and ABFAB could perhaps look to those for inspiration and perhaps reuse. Josh. On 16/11/2013 02:25, "Sam Hartman" <hartmans-ietf@mit.edu> wrote: > >Hi. >At the most recent ABFAB meeting I brought up the idea of adding >ephemeral keying to ABFAB. >This would provide the following: > >* Protect the EAP conversation between the peer and NAS (initiator and > acceptor in GSS terms) > >* Provide a key to protect ABFAB negotiations > >* Prevent the EAP server or proxies between the EAP server and NAS from > observing the resulting session > >This would help defeat fingerprinting by passive observers as well as >minimize the damage that a passive server could do cooperating with the >home EAP server. This is more valuable for ABFAB used in protocols like >NFS and CIFS or in RFc 4462 SSH key exchange than it is for ABFAB used >within an TLS session for IMAP, XMPP or SMTP. > > >Stephen thought the general idea of protecting ABFAB sounded good but >would prefer that we get better protocol re-use and suggested we look >into protecting EAP in general. I was dubious of that but suggested >protecting Kerberos GSS in general as an option. > >After trying to work through how to protect either EAP or Kerberos, I've >mostly concluded that I don't know how to get significant protocol >re-use. However I do agree with Stephen that it would be better that >get protocol re-use if we can still implement relatively quickly and >meet all of the above protection goals for ABFAB. > >So, here are my thoughts on EAP and Kerberos: > >EAP. Ephemeral keying doesn't belong in an EAP method. EAP methods run >between the peer and EAP server. We want PFS between the peer and NAS. >The endpoints are wrong. > >We could insert a layer similar to ERP (the hokey produced EAP >Reauthentication Protocol) between the peer and NAS. It's been a while >since I've looked at ERP, but I seem to recall that ERP runs between the >peer and an entity in the visited domain although it does have specific >NAS support. > >That approach would be OK for ABFAB assuming it could be implemented >efficiently. It would be a bit ugly because you want to start using the >ephemeral key well before EAP has concluded. However, for lower layers >that do complex keying after EAP concludes, it's probably the wrong >approach. Also, ERP took a long time to specify. I don't want to >commit to astandardization effort that complex. > >Kerberos. I was considering trying to share some tokens for ephemeral >keying with Kerberos. keying wants ephemeral keing within a GSS >mechanism. You could do that for Kerberos, although you'd need to take >advantage of the not-widely-implemented extension to the magic checksum >used by GSS for channel binding and (in that magic extension) other >extensions. In ABFAb the framing would be different because our context >tokens have subtokens. However we could use the same PDU. > >Except for two things. First, Kerberos probably would be happier with >an ap-req and ap-rep extension than a GSS mechanism level extension. >Secondly, Kerberos might well want to use pkinit data structures and >possibly even run a stripped down client-server version of pkinit for >the ephemeral keying. That's way too expensive in terms of >implementation complexity if you don't already have a pkinit >implementation sitting around. > >my conclusion from all this is that the right place to do ephemeral >keying for an EAP protocol is in the lower layer and that unless I got >something wrong or missed an alternative, ABFAb should do its own >mechanism. > >Can anyone see a good way to get protocol re-use here? >_______________________________________________ >Emu mailing list >Emu@ietf.org >https://www.ietf.org/mailman/listinfo/emu Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
- [kitten] Right place for ABFAB ephemeral keying Sam Hartman
- Re: [kitten] Right place for ABFAB ephemeral keyi… Jeffrey Hutzelman
- Re: [kitten] [Emu] Right place for ABFAB ephemera… Josh Howlett