Re: [kitten] Request for review of a SASL mechanism using the OPAQUE aPAKE
Nadja von Reitzenstein Cerpnjak <me@dequbed.space> Wed, 19 October 2022 15:22 UTC
Return-Path: <me@dequbed.space>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4024BC1522AD for <kitten@ietfa.amsl.com>; Wed, 19 Oct 2022 08:22:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.706
X-Spam-Level:
X-Spam-Status: No, score=-6.706 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=dequbed.space
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8woa6fsgeswF for <kitten@ietfa.amsl.com>; Wed, 19 Oct 2022 08:22:22 -0700 (PDT)
Received: from mail2.paranoidlabs.org (tureis.comfix.cc [148.251.10.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ECAAC14CE33 for <kitten@ietf.org>; Wed, 19 Oct 2022 08:22:21 -0700 (PDT)
Received: from [141.23.159.83] (unknown [10.1.0.1]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail2.paranoidlabs.org (PlabsMail) with ESMTPSA id D6936341C05 for <kitten@ietf.org>; Wed, 19 Oct 2022 15:22:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dequbed.space; s=rsa-20210101; t=1666192938; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CgI6OheTGiBtZO0F8bZE+RU4tSzUsV8vF5lui1DBS88=; b=FbMG3IBdMv8Bi1jiUaGw+5/v4hWnkTEuLfx5U7Dp2kVhbDrlKclJ1YtStN+NvX87tYjtJE a4mCjKIcxRF/0b7gL/9aT8vWbmU7V8mjX503Dcns6WzUJ1ZFmurW3Yd2pFA5kXpTtrxJQY 3Zl1KK534RLE6g9d62l90Oo83R6XGdJ4+Jki3v3oaVfBOmvF2JE7ziNeeaYOYx12nvPVbm e3g8fZGsDCQacQqLSGluMBqYqRXiK3G66dtBQixvh0qkEnc3AaBnHen5JvBp9JiewbxH15 2kzwDTvJ7EoZkxlpTSig2PoZsHgh45W+uxFeyBow+IddFfjev7rLu4DFE25j0A==
Message-ID: <4bd71069-a974-2e9d-6aed-7120e7512a51@dequbed.space>
Date: Wed, 19 Oct 2022 17:22:12 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.3
To: kitten@ietf.org
References: <e5a00d86-48a1-d602-0ee8-8cb80c06f826@dequbed.space> <87edvgjgjq.fsf@latte.josefsson.org> <a574a4ec-1aeb-d2fc-85d7-e72d5904a639@dequbed.space> <20221019080823.GA21910@openfortress.nl> <CAKHUCzzzJH8JpME=EpqigRn_YTwPdU2r7dqwx5Eo011nWFtMcA@mail.gmail.com>
Content-Language: en-US
From: Nadja von Reitzenstein Cerpnjak <me@dequbed.space>
In-Reply-To: <CAKHUCzzzJH8JpME=EpqigRn_YTwPdU2r7dqwx5Eo011nWFtMcA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/z0agkO5RAhaHdbF4M6ubyFDnkNE>
Subject: Re: [kitten] Request for review of a SASL mechanism using the OPAQUE aPAKE
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 15:22:28 -0000
> > > In fact, the only way I'd approach a security layer is as > "STARTTLS in > > a trench coat" — i.e. by using in essence TLS-PSK to bootstrap the > > TLS context to > > then use as security layer. > > I'm not sure I understand. Are you talking of TLS after SASL? > That is quite uncommon, it is unsafe for most SASL mechanisms > (I know OPAQUE can do this, but most application protocols will > probably not support STARTTLS after AUTH). > > > I assumed that Nadja was suggesting TLS framed as a SASL Security Layer > for the OPAQUE mechanism, so the application protocol would not be doing > STARTTLS at all. > Yes exactly, thank you Dave. And just to clarify, I am talking specifically about how I'd design a security layer for OPAQUE-* if I had to, and OPAQUE is fine with being transmitted in the clear. But my point from the GitHub discussion and my previous email still stands; I don't want to add a security layer. > That's certainly possible, though having TLS prior to the SASL > negotiation has some security advantages in terms of downgrade > protection and confidentiality. Yes and it makes it much easier to configure appropriate ciphers (e.g. only using AES on those systems that can hardware-accelerate it), allows multiplexing or versioning protocols thanks to ALPN, and can save round-trips by being able to already send data before the handshake has completed. And, as you did allude to, having TLS protection prior to authentication hides the authid and authzid of the user logging in from eavesdroppers, which is certainly good for privacy. :) It also has the advantage that protocols that can use unreliable datagram transports like SIP can be protected using the more appropriate DTLS, and that protocols that are transported over internally multiplexed streams, e.g. HTTP/3 that is transported over QUIC, can use their more specialized encryption that prevents head-of-line blocking in the face of packet loss. I don't think that any of these more specialized situations are served well by a SASL security layer. Yes, (D)TLS has its drawbacks and it even has some warts, but well, à la guerre comme à la guerre. ~Nadja
- [kitten] Request for review of a SASL mechanism u… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Simon Josefsson
- Re: [kitten] Request for review of a SASL mechani… Dave Cridland
- Re: [kitten] Request for review of a SASL mechani… Florian Schmaus
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Dave Cridland
- Re: [kitten] Request for review of a SASL mechani… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Alexey Melnikov