IETF Logo Mail Archive

Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input

Benjamin Kaduk <kaduk@MIT.EDU> Thu, 14 May 2015 14:39 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F2501B2B36 for <kitten@ietfa.amsl.com>; Thu, 14 May 2015 07:39:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bP6s2-7_8g3F for <kitten@ietfa.amsl.com>; Thu, 14 May 2015 07:39:39 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 262DE1B2B3A for <kitten@ietf.org>; Thu, 14 May 2015 07:39:35 -0700 (PDT)
X-AuditID: 1209190e-f79a76d000000d1b-38-5554b3a6b620
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 2B.6F.03355.6A3B4555; Thu, 14 May 2015 10:39:34 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t4EEdYpK028981; Thu, 14 May 2015 10:39:34 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t4EEdWxf009937 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 14 May 2015 10:39:33 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t4EEdVtl026900; Thu, 14 May 2015 10:39:31 -0400 (EDT)
Date: Thu, 14 May 2015 10:39:31 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Watson Ladd <watsonbladd@gmail.com>
In-Reply-To: <alpine.GSO.1.10.1505140017320.22210@multics.mit.edu>
Message-ID: <alpine.GSO.1.10.1505141027470.22210@multics.mit.edu>
References: <x7dk2wd6355.fsf@equal-rites.mit.edu> <20150512214740.GT7287@localhost> <1431525091.3260.26.camel@redhat.com> <CACsn0cm9AEG+oi8S+trhvyHpFFLF=-tG4Qazp5e6SgnS037K+Q@mail.gmail.com> <20150513160549.GV7287@localhost> <CACsn0cnO0To1a77x0Tp+Qk414Zv_yqnoC-wuS4vgJbQN+mV+7Q@mail.gmail.com> <alpine.GSO.1.10.1505140017320.22210@multics.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPIsWRmVeSWpSXmKPExsUixCmqrbtsc0iowbdXphZHN69isejpPMnm wOSxc9Zddo8lS34yBTBFcdmkpOZklqUW6dslcGXMufmDtWCpcMWC84fZGxiP8ncxcnJICJhI tGw7wgphi0lcuLeerYuRi0NIYDGTxI9XSxkhnI2MEr/uLmWBcA4xSSz5tYUVwmlglNiy5DxY P4uAtsTTe6tZQGw2ARWJmW82soHYIgLqEhOWbwKLMwsIS6w/N4MZxBYWcJM486mLEcTmFHCS mLL1GhOIzSvgKLFqwzqoO+4ySez6swosISqgI7F6/xQWiCJBiZMzn0AN1ZJYPn0bywRGwVlI UrOQpBYwMq1ilE3JrdLNTczMKU5N1i1OTszLSy3SNdbLzSzRS00p3cQIDldJvh2MXw8qHWIU 4GBU4uF94RASKsSaWFZcmXuIUZKDSUmUt30dUIgvKT+lMiOxOCO+qDQntfgQowQHs5IIb90m oBxvSmJlVWpRPkxKmoNFSZx30w++ECGB9MSS1OzU1ILUIpisDAeHkgTvzo1AjYJFqempFWmZ OSUIaSYOTpDhPEDDi8CGFxck5hZnpkPkTzEqSonzPgVpFgBJZJTmwfXC0skrRnGgV4R5I0Da eYCpCK77FdBgJqDBlmFgg0sSEVJSDYzFgperua2LPU4effk0ekdIi++MqQxTOTlPRjZOZf69 5J60p76UnL2eYNmxZLev7nOCMwR2dLh38e5I+Zf6tNu225DJabfpwy8/lp4oqp1mE5XB5sEy 3+XGywd3RVvKbF6y1rf9OMRyKW95z8msjVtqj/g7fGlWKF528YDmvNRawQdqDNOfnFdiKc5I NNRiLipOBABUIB5MAgMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/zIB1I4cSTpTuMy1IsjI8lm2OqoU>
Cc: kitten@ietf.org
Subject: Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 14:39:46 -0000

On Thu, 14 May 2015, Benjamin Kaduk wrote:

> On Thu, 14 May 2015, Watson Ladd wrote:
>
> > On May 13, 2015 9:05 AM, "Nico Williams" <nico@cryptonector.com> wrote:
> > >
> > >
> > > That depends on how its salted.  For our purposes, in practice it's not.
> >
> > Not true: w comes from a much smaller list of values. If it was
> > uniformly distributed over a wide range, we could use it as a key
> > directly.
>
> In the scheme kitten is considering, w is an existing kerberos long-term
> (password-derived) key, so at least 128 bits and with no clear structure.

Now that I am awake (i.e., not falling asleep), I should clarify that w is
planned to be the output of a KDF or PRF construction keyed on the
kerberos long-term key I mentioned, not the key itself.  (I don't think
this was very clear in the -00, though, and we discussed it on the list a
fair amount.)

To give something of a summary of the propsal with background from
kerberos:

In kerberos, we have password-derived keys that are used for initial user
authentication; the KDC ends up sending a response with session key,
encrypted in the long-term password-derived key.  (Sometimes the user
sends a timestamp encrypted in that key as "pre-authentication".)
Regardless, an attacker can easily get a ciphertext in this
password-derived key, and since some users will always pick weak
passwords, some of this traffic will succumb to a brute-force guessing
attack.

The proposal in draft-mccallum-kitten-krb-spake-preauth is to use SPAKE(2)
as a zero-knowledge proof, not of the password itself, but rather of the
password-derived kerberos key, so that existing kerberos deployments can
seamlessly be upgraded to use this new preauthentication scheme which does
not expose ciphertexts in the password-derived key to an attacker.  As an
additional feature, it allows for a second factor to be included in the
key exchange in a fashion such that an attacker trying online guessing
cannot tell which of the password or second factor was incorrect.  So, the
"password" input to spake is not the user's actual password, but rather
this kerberos long-term password-derived key, which has already been
through a salted PBKDF2 (or similar, for older enctypes).  As is normal
for use of long-term kerberos keys, it will go through a key-derivation
step before being used.

Hopefully that gives some background to the questions we were asking for
input on.

-Ben

v2.23.0 | Report a Bug | By Email