IETF Logo Mail Archive

Re: [kitten] complementary OPAQUE SASL mechanism draft

Simo Sorce <simo@redhat.com> Fri, 14 October 2022 19:29 UTC

Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4081CC14F719 for <kitten@ietfa.amsl.com>; Fri, 14 Oct 2022 12:29:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level:
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDhNmudAMOFP for <kitten@ietfa.amsl.com>; Fri, 14 Oct 2022 12:29:13 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6034C14F738 for <kitten@ietf.org>; Fri, 14 Oct 2022 12:29:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1665775752; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kBhD9MZYbh5YBaSg0VXSPo9NqC9vp+TNHDHK5NVjqTI=; b=WvpgBDOi26AL0Zs3CJVgbOtlwoxgmBXQ37R/dTxhp4fa8mnZVjgy5SAGFvNULSz48J3uSR upEAD9eAYTem/aw3A+giDOZ843KfhQH0+RJzr6GsPTr5T80qXKBQZD6/7lChnJ2Z9jvK7p 8lwUzgidcadBqbnp8YjeFm+WFIx9Nqk=
Received: from mail-oa1-f71.google.com (mail-oa1-f71.google.com [209.85.160.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-423-KImE8Iz7MJaf8cXFn15Agg-1; Fri, 14 Oct 2022 15:29:10 -0400
X-MC-Unique: KImE8Iz7MJaf8cXFn15Agg-1
Received: by mail-oa1-f71.google.com with SMTP id 586e51a60fabf-1331cbf6357so2696953fac.11 for <kitten@ietf.org>; Fri, 14 Oct 2022 12:29:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:cc:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=kBhD9MZYbh5YBaSg0VXSPo9NqC9vp+TNHDHK5NVjqTI=; b=39u8bYLJqNiUZHrXrQWEnCaZCvHH29Ee/FSgPFEuHQj/4peDllTZ0fdbUDJnOWvIwI lQmiv9AFisZogt6Ls7NoGeCK+JXWJyHQWhbVegv5MUC2b9e2jjDLgqswcQIU15pj29d/ FvIi13DVaYpU8jUe4gP2c1Hb0ZHbt6lXebLkvxMRZj0D89hXzinymK225U1KBRogSG4n iLU/+5Doka6NO/CCAlTjg6olwRX11uYB94qGyPrHAp2A7sJqk/f+OQWuJsqEWtYOfNz6 +buWI03FFmRds5zL0eFSHBOpcgolHLcbm0Z2H+iOmMmJDtMCfh7PGmUmEZro8D2Q84sL igWQ==
X-Gm-Message-State: ACrzQf0BPMENlTFSBe2YKNANPtz9yEMTddJAKez5uUd7qvZUQdee4xAa 5z481WHssRirFX0ZgiQaZWEFla8tbRxnaV/8CSaxAkqwDdI3XvO+FtcyoSo5OM0GgdPzIxtRca8 0wNLa2dM=
X-Received: by 2002:a05:6808:23cd:b0:354:d3bf:6a8 with SMTP id bq13-20020a05680823cd00b00354d3bf06a8mr3179168oib.192.1665775750248; Fri, 14 Oct 2022 12:29:10 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM7tEhZ85dlr1FX8Rn4Ecssw48SYFvEfeQq3v2G5HyVr8LRVqVpUOsqZdlgcUFidDGW+7V758Q==
X-Received: by 2002:a05:6808:23cd:b0:354:d3bf:6a8 with SMTP id bq13-20020a05680823cd00b00354d3bf06a8mr3179164oib.192.1665775750005; Fri, 14 Oct 2022 12:29:10 -0700 (PDT)
Received: from m8.users.ipa.redhat.com (cpe-158-222-141-151.nyc.res.rr.com. [158.222.141.151]) by smtp.gmail.com with ESMTPSA id t41-20020a05680815a900b0035476861b1dsm1424345oiw.49.2022.10.14.12.29.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 14 Oct 2022 12:29:09 -0700 (PDT)
Message-ID: <05d5c01177a294cc21960ec5395fb00630d87f89.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, Stefan Marsiske <03cx8i55f6@ctrlc.hu>
Cc: kitten@ietf.org
Date: Fri, 14 Oct 2022 15:29:08 -0400
In-Reply-To: <878rlinswv.fsf@latte.josefsson.org>
References: <Y0mWXEZYl2d6/32Z@localhost> <878rlinswv.fsf@latte.josefsson.org>
Organization: Red Hat
User-Agent: Evolution 3.44.4 (3.44.4-1.fc36)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/w1OcdhaSTYJnqG6MooUhUVff4_w>
Subject: Re: [kitten] complementary OPAQUE SASL mechanism draft
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2022 19:29:16 -0000

On Fri, 2022-10-14 at 20:48 +0200, Simon Josefsson wrote:
> Stefan Marsiske <03cx8i55f6@ctrlc.hu> writes:
> 
> > this draft by far less ambitious than the other introduced a few days ago on
> > this list. this one only specifies a simple OPAQUE mechanism for SASL and
> > mostly only the wireformat. there is no channel binding, and no secure layer.
> > it also does not support cryptographic agility[1], similar to wireguard and
> > other modern solutions, eliminating footguns, negotiations and other
> > complexity. it only specifies one configuration, one of the two specified by
> > the IRTF CFRG draft[2] with one change, the usage of argon2i for the KSF
> > instead of scrypt (for which i have an issue open to change[3]).
> 
> <rant>
> 
> I really prefer this kind of security protocol design.  Experience with
> other protocols, and even SASL (remember DIGEST-MD5?), has shown too
> many times that negotiation and parameter choices is harmful to
> security.  I wish we made GS2 and SCRAM less complex.  I understand some
> poeple want to continue the practice for SASL mechanisms, given the
> responses on my suggestion to hard-code parameters for OPAQUE*.  However
> I think the arguments for kind of design are weak at this point.  It is
> easy to ask for an optional feature, and give some rationale for the
> request that makes sense in isolation, but the hard part of security
> protocol design is to say NO to that feature creep.  When we don't, we
> all end up with ASN.1/PKIX hell and it takes years to recover.
> Premature parametrization is the root of many security flaws.


OTOH lack of agility makes it extremely hard to handle operationally.

As much as agility makes things more complicated it also makes it
actually possible to do smooth transitions over large deployments.

Lack of agility forces into flag days which end up with excruciating
disruptions or loss of security.

That said,
the good thing about SASL is that it is itself a negotiation mechanism.
As long as the actual mechanism exposed in SASL has an algorithm
qualified name like "OPAQUE-foo" rather than just OPAQUE, upgrades will
be possible by simply supporting multiple OPAQUE-xyz mechanisms.

Regards,
Simo.
 
-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc

v2.23.0 | Report a Bug | By Email