Re: [kitten] TLS 0-RTT question regarding draft-schmaus-kitten-sasl-ht
Dave Cridland <dave@cridland.net> Wed, 19 October 2022 10:08 UTC
Return-Path: <dave@cridland.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA8DC14CE25 for <kitten@ietfa.amsl.com>; Wed, 19 Oct 2022 03:08:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5U-pMHKTrN3z for <kitten@ietfa.amsl.com>; Wed, 19 Oct 2022 03:08:46 -0700 (PDT)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E53EC14F747 for <kitten@ietf.org>; Wed, 19 Oct 2022 03:08:46 -0700 (PDT)
Received: by mail-wr1-x436.google.com with SMTP id b4so28234576wrs.1 for <kitten@ietf.org>; Wed, 19 Oct 2022 03:08:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RlAhkCppxBC4ZIzARPZCAA+Y3hrfClDL6hNCRa7CSuM=; b=RA5ey6pLcUocikmzaKd1GubzFCmF/ZR98mW3grLzNIhYvoahktxFvH8mA0E8AZAxkQ pNWKIKF+yWB83FcGpQAoRgqe0gVKF0T54N4WPANrfA83rqWp2TtqMA6Nryq7JwrNALnU lstFhmFHsUYNmiH+QR9HhQjHhyGBtpoXr3eUg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RlAhkCppxBC4ZIzARPZCAA+Y3hrfClDL6hNCRa7CSuM=; b=jD4EZJYUYb57mGpzvuI4UpxkqOsO5WmL/bQrXDb57ed2KAUxy5/0tE4q/E0+59aZJS 5RC0NTfBCbydLvB5DvUI1ehEjQwvqMitJofbZa66NtQAYNdhatz3i7P8bTQikLQMz1Pt nyBcdjdIr8OowapT05Gd6LRst67cVfF2JMpC0pSlYNBWdDoe98aUBuanS8yOhXaMeAAC LNk7hGs3vhX+Jofa/3BHsy+1fDufC4/SmMoCfe/7+RPwhaqrgEWbl/osDQJtG6Xjxh20 5FWRyzv+Z5rAiv4eoxueop1DWrEIoIjm7cNekxxyh23amA+DKBcCTs/nhB/F0sJ6P1dR Mk1Q==
X-Gm-Message-State: ACrzQf0SXsC8Olw0gv4QSAvrWomU0gxc0lN5cHn8pBi7hRqDAecvKua0 sD7Z1TMG2D0HEfttpiVupQ6q1RvLxrJiHji1xYuG3g==
X-Google-Smtp-Source: AMsMyM7j99O92wTUsBYtgesYKTtUs3O6Fd/T+Kz6aC5Ck7RB6r5ww+9cnK0n8Kl9TZEuGvEGwOfmnd1lKASdwNS06VA=
X-Received: by 2002:a05:6000:80f:b0:234:6fe1:641a with SMTP id bt15-20020a056000080f00b002346fe1641amr100615wrb.463.1666174124248; Wed, 19 Oct 2022 03:08:44 -0700 (PDT)
MIME-Version: 1.0
References: <5e747325-e63e-2cfb-9814-b52b85acedc6@dequbed.space>
In-Reply-To: <5e747325-e63e-2cfb-9814-b52b85acedc6@dequbed.space>
From: Dave Cridland <dave@cridland.net>
Date: Wed, 19 Oct 2022 11:08:33 +0100
Message-ID: <CAKHUCzyk5HkRSM+z5WRyKMmMuSrH=x1=D8RdjWR5OxX0o0N2=Q@mail.gmail.com>
To: Nadja von Reitzenstein Cerpnjak <me@dequbed.space>
Cc: Florian Schmaus <flo@geekplace.eu>, KITTEN IETF WG <kitten@ietf.org>, Christoph Egger <egger@cs.fau.de>
Content-Type: multipart/alternative; boundary="000000000000cf655105eb6064bd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/yDBIR5tKcxOF3Ok0sjj-lSIlQ_s>
Subject: Re: [kitten] TLS 0-RTT question regarding draft-schmaus-kitten-sasl-ht
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 10:08:52 -0000
On Wed, 19 Oct 2022 at 10:22, Nadja von Reitzenstein Cerpnjak < me@dequbed.space> wrote: > After you recently linked it I was reading through your draft and I > would like a clarification regarding the intended interaction with > TLSv1.3 0-RTT data. > As a bit of background, HT-* was developed primarily with a view to providing a "fast reauthentication" in XMPP, and technically, would be initiated in the second client-sent data, normally as part of the new "SASL2" profile (XEP-0388). The currently proposed update to SASL2 has a "MUST NOT" for TLSv1.3 0-RTT data; I've argued that this ought to be a SHOULD NOT (and the proposal already lists sensible mitigations as far as I follow the detail). So if 0-RTT data were used, it'd be used in the initial stream open, and then the client would read off stream features including the supported authentication mechanisms (and SASL/SASL2 support), and only then send the HT-* client-send-first data, by which time channel binding information has been obtained: C->S (0-RTT) <stream:stream from='...' to='...' ... version=1.0> C<-S <stream:stream ...><stream:features>...</stream:features> C->S <authenticate mechanism='HT-*' ...><initial-data>...</initial-data/></authenticate> The alternative would be to optimistically pipeline the client-send-first data (which would work on other SASL-using protocols, too), in which case it would be possible to do so in the 0-RTT data. My understanding of 0-RTT data is fairly weak, but I understand that it may be subject to replay by an attacker. Assuming this is so, its current form, HT-* would then allow for a replay attack if the binding was not dependent on the session itself (ie, if there were no channel bindings or tls-server-end-point were used). Whether the attack is actually useful is something of another matter - I think an attacker would struggle to identify and use a useful pipelined sequence, but perhaps that's not the point. In any case, I entirely appreciate the irony in having a fast reauthentication mechanism that essentially mandates an additional round-trip, and if you've any suggestions I would really welcome them. One of the handy features of HT-* in its current form is that a server could provide a token which is the encrypted username/password for the user, for services that are forced into using PLAIN in the backend. Dave.
- [kitten] TLS 0-RTT question regarding draft-schma… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] TLS 0-RTT question regarding draft-s… Dave Cridland
- Re: [kitten] TLS 0-RTT question regarding draft-s… Nadja von Reitzenstein Cerpnjak