Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input
Benjamin Kaduk <kaduk@MIT.EDU> Thu, 14 May 2015 14:39 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F2501B2B36 for <kitten@ietfa.amsl.com>; Thu, 14 May 2015 07:39:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bP6s2-7_8g3F for <kitten@ietfa.amsl.com>; Thu, 14 May 2015 07:39:39 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 262DE1B2B3A for <kitten@ietf.org>; Thu, 14 May 2015 07:39:35 -0700 (PDT)
X-AuditID: 1209190e-f79a76d000000d1b-38-5554b3a6b620
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 2B.6F.03355.6A3B4555; Thu, 14 May 2015 10:39:34 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t4EEdYpK028981; Thu, 14 May 2015 10:39:34 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t4EEdWxf009937 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 14 May 2015 10:39:33 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t4EEdVtl026900; Thu, 14 May 2015 10:39:31 -0400 (EDT)
Date: Thu, 14 May 2015 10:39:31 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Watson Ladd <watsonbladd@gmail.com>
In-Reply-To: <alpine.GSO.1.10.1505140017320.22210@multics.mit.edu>
Message-ID: <alpine.GSO.1.10.1505141027470.22210@multics.mit.edu>
References: <x7dk2wd6355.fsf@equal-rites.mit.edu> <20150512214740.GT7287@localhost> <1431525091.3260.26.camel@redhat.com> <CACsn0cm9AEG+oi8S+trhvyHpFFLF=-tG4Qazp5e6SgnS037K+Q@mail.gmail.com> <20150513160549.GV7287@localhost> <CACsn0cnO0To1a77x0Tp+Qk414Zv_yqnoC-wuS4vgJbQN+mV+7Q@mail.gmail.com> <alpine.GSO.1.10.1505140017320.22210@multics.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPIsWRmVeSWpSXmKPExsUixCmqrbtsc0iowbdXphZHN69isejpPMnm wOSxc9Zddo8lS34yBTBFcdmkpOZklqUW6dslcGXMufmDtWCpcMWC84fZGxiP8ncxcnJICJhI tGw7wgphi0lcuLeerYuRi0NIYDGTxI9XSxkhnI2MEr/uLmWBcA4xSSz5tYUVwmlglNiy5DxY P4uAtsTTe6tZQGw2ARWJmW82soHYIgLqEhOWbwKLMwsIS6w/N4MZxBYWcJM486mLEcTmFHCS mLL1GhOIzSvgKLFqwzqoO+4ySez6swosISqgI7F6/xQWiCJBiZMzn0AN1ZJYPn0bywRGwVlI UrOQpBYwMq1ilE3JrdLNTczMKU5N1i1OTszLSy3SNdbLzSzRS00p3cQIDldJvh2MXw8qHWIU 4GBU4uF94RASKsSaWFZcmXuIUZKDSUmUt30dUIgvKT+lMiOxOCO+qDQntfgQowQHs5IIb90m oBxvSmJlVWpRPkxKmoNFSZx30w++ECGB9MSS1OzU1ILUIpisDAeHkgTvzo1AjYJFqempFWmZ OSUIaSYOTpDhPEDDi8CGFxck5hZnpkPkTzEqSonzPgVpFgBJZJTmwfXC0skrRnGgV4R5I0Da eYCpCK77FdBgJqDBlmFgg0sSEVJSDYzFgperua2LPU4effk0ekdIi++MqQxTOTlPRjZOZf69 5J60p76UnL2eYNmxZLev7nOCMwR2dLh38e5I+Zf6tNu225DJabfpwy8/lp4oqp1mE5XB5sEy 3+XGywd3RVvKbF6y1rf9OMRyKW95z8msjVtqj/g7fGlWKF528YDmvNRawQdqDNOfnFdiKc5I NNRiLipOBABUIB5MAgMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/zIB1I4cSTpTuMy1IsjI8lm2OqoU>
Cc: kitten@ietf.org
Subject: Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 14:39:46 -0000
On Thu, 14 May 2015, Benjamin Kaduk wrote: > On Thu, 14 May 2015, Watson Ladd wrote: > > > On May 13, 2015 9:05 AM, "Nico Williams" <nico@cryptonector.com> wrote: > > > > > > > > > That depends on how its salted. For our purposes, in practice it's not. > > > > Not true: w comes from a much smaller list of values. If it was > > uniformly distributed over a wide range, we could use it as a key > > directly. > > In the scheme kitten is considering, w is an existing kerberos long-term > (password-derived) key, so at least 128 bits and with no clear structure. Now that I am awake (i.e., not falling asleep), I should clarify that w is planned to be the output of a KDF or PRF construction keyed on the kerberos long-term key I mentioned, not the key itself. (I don't think this was very clear in the -00, though, and we discussed it on the list a fair amount.) To give something of a summary of the propsal with background from kerberos: In kerberos, we have password-derived keys that are used for initial user authentication; the KDC ends up sending a response with session key, encrypted in the long-term password-derived key. (Sometimes the user sends a timestamp encrypted in that key as "pre-authentication".) Regardless, an attacker can easily get a ciphertext in this password-derived key, and since some users will always pick weak passwords, some of this traffic will succumb to a brute-force guessing attack. The proposal in draft-mccallum-kitten-krb-spake-preauth is to use SPAKE(2) as a zero-knowledge proof, not of the password itself, but rather of the password-derived kerberos key, so that existing kerberos deployments can seamlessly be upgraded to use this new preauthentication scheme which does not expose ciphertexts in the password-derived key to an attacker. As an additional feature, it allows for a second factor to be included in the key exchange in a fashion such that an attacker trying online guessing cannot tell which of the password or second factor was incorrect. So, the "password" input to spake is not the user's actual password, but rather this kerberos long-term password-derived key, which has already been through a salted PBKDF2 (or similar, for older enctypes). As is normal for use of long-term kerberos keys, it will go through a key-derivation step before being used. Hopefully that gives some background to the questions we were asking for input on. -Ben
- [kitten] SPAKE preauth: generation of SPAKE2 secr… Greg Hudson
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nathaniel McCallum
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Watson Ladd
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Watson Ladd
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Benjamin Kaduk
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Benjamin Kaduk
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Watson Ladd
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Simo Sorce
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Greg Hudson
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Watson Ladd
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Greg Hudson