Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos
Luke Howard Bentata <lukeh@padl.com> Fri, 06 January 2023 11:39 UTC
Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 638CBC14CE42 for <kitten@ietfa.amsl.com>; Fri, 6 Jan 2023 03:39:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TdEQsMAsEB8z for <kitten@ietfa.amsl.com>; Fri, 6 Jan 2023 03:39:38 -0800 (PST)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D773EC14CE3E for <kitten@ietf.org>; Fri, 6 Jan 2023 03:39:37 -0800 (PST)
Received: from auth (localhost [127.0.0.1]) by us.padl.com (8.14.7/8.14.7) with ESMTP id 306BdTFB032079 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 6 Jan 2023 11:39:32 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 306BdTFB032079
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1673005173; bh=Y7/27J2VOUTBY02PY5J7yh2mYGaXeo5YGrBO8+xcN4A=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=T6IZS4Kj+QZEZCq3i/q4IUK3NrKsWxQvMgwgVSF8QVOb6wc62RRPRl8fa/vby/Z/C mYeQ9Gkm9QDaOy2scmWjsYY6N+oU4uA7e+TXXc9lFRMpshGil6/Ayz45Y7PhL7p/ET qqDzBpqx1vkKMYE3SgfzufryKQ/eNbBr40G+//ld0lOJkfkrgK7EWEKYRE0wuaJhPB TY65ZbRdE0ydHu8ofO9CTiw7GhXeWejf13Z1MVjWNcrLLHzzwxTPU3e6L/SE52y4x1 foT5GjSr1eE/QWr6JJ09YxmASmUHff1JUujfULwRQll2YOgfElFAdGRc+hv499KPeJ c+cequggoUrIA==
From: Luke Howard Bentata <lukeh@padl.com>
Message-Id: <F270B9DE-6770-4F0A-9340-FD35DABF1AAA@padl.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8CC0C9B9-4ECC-4E9B-A07A-E95EA6F4154F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
Date: Fri, 06 Jan 2023 22:39:17 +1100
In-Reply-To: <9ACBF03D-4137-4E9A-963E-4D07082FC805@padl.com>
To: "kitten@ietf.org" <kitten@ietf.org>
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <7B46A5A4-4415-4627-B964-44F2516D84FE@padl.com> <9464B1FF-6784-4D59-A4F6-1B5D58C2B94F@padl.com> <MW4PR21MB1970090CC5E20FC4BADA0B469CFA9@MW4PR21MB1970.namprd21.prod.outlook.com> <B970CFE5-FB03-47C2-87F4-BFC82C87D13A@padl.com> <9ACBF03D-4137-4E9A-963E-4D07082FC805@padl.com>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/zy60ZpCZYgVk24G2niu2Svj5VLo>
Subject: Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2023 11:39:42 -0000
I propose adding something like: When the acceptor proposes a sub-session key, the initiator MUST send a sub-session key in the AP-REQ which SHALL be used to encrypt the AP-REP enc-part rather than the ticket session key. This avoids an attacker replaying an AP-REP and forcing the initiator to reuse an acceptor sub-session key. Key reuse breaks the security properties of encryption types such as GCM. > On 6 Jan 2023, at 7:30 pm, Luke Howard <lukeh=40padl.com@dmarc.ietf.org> wrote: > > Slightly refreshed draft here: > > https://www.ietf.org/archive/id/draft-howard-gssapi-aead-01.txt > > Refreshed implementation here: > > https://github.com/heimdal/heimdal/tree/lukeh/aes-gcm > > I added some text about why EC and RRC are safe to leave unprotected (they’re known constants which can be validated by the peer, generally zero except for EC wrap tokens without confidentiality). > > Nico points out we should use this opportunity to encrypt the AP-REP enc-part in the initiator sub-session rather than the ticket session key. Otherwise you can replay an AP-REP against an AP-REQ made with the same ticket, which would be bad for GCM (as we are using a deterministic IV). I haven’t updated the draft yet to reflect this. > >> On 5 Jan 2023, at 3:32 pm, Luke Howard Bentata <lukeh=40padl.com@dmarc.ietf.org <mailto:lukeh=40padl.com@dmarc.ietf.org>> wrote: >> >> >> >>> On 5 Jan 2023, at 12:39 pm, Steve Syfuhs (AP) <Steve.Syfuhs=40microsoft.com@dmarc.ietf.org <mailto:Steve.Syfuhs=40microsoft.com@dmarc.ietf.org>> wrote: >>> >>> Us Windows folks are vaguely interested. With our RC4 deprecation work winding down, it’d be nice to get something going for post-sha256. That said we don’t have a need for GCM yet. Just looking at it from a crypto-agility perspective. >> >> Because the profile doesn’t actually support longterm keys, it avoids any longterm key-related agility issues (you’d carry on using AES session keys, and CCM/GCM is negotiated through RFC4537). So that makes things a little more straightforward. >> >> Anyway, have a look at the drafts, let me know if you have any questions, in the interim I’m rebasing on top of Heimdal master. >> _______________________________________________ >> Kitten mailing list >> Kitten@ietf.org <mailto:Kitten@ietf.org> >> https://www.ietf.org/mailman/listinfo/kitten > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten
- [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Paul Miller (NT)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Ken Hornstein
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata