Re: [saag] Improving the CHAP protocol

"Mark D. Baushke" <mdb@juniper.net> Wed, 25 September 2019 19:11 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A21AA120288 for <saag@ietfa.amsl.com>; Wed, 25 Sep 2019 12:11:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dZewaa-H4AfH for <saag@ietfa.amsl.com>; Wed, 25 Sep 2019 12:11:27 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2AC112022C for <saag@ietf.org>; Wed, 25 Sep 2019 12:11:26 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x8PJ9lPm014207; Wed, 25 Sep 2019 12:11:16 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : date : message-id; s=PPS1017; bh=19qIpN2313AytDBW9NyviGSS7dM0HC3rmeZ0Hg1ywUc=; b=GnpQQFiCD3s1cD1KqlU0uf8cowFEcuXUwYuaB8EO5Dy7G9SFX16L9pGSWRnnWMO5Rcky 6kalje0hQ+CS2N1VSVDJCYFzZAKK4DIePttKAQoJ8v/QPkWFZ6xrE45JcC5UrMuO0c20 CR1IX6PQQoymSukSTUEtAUNzkgJR23J6ZRhgMfJNdwUbpDyQGXf13g4VbeQFxodkoB4J V62SBYT9nNQGyGYr0ryhFg9GeHwiyg706QmajrF5LnlWG3me0AmeE1fLRM0FUpd4Lm2T 6HPSq67wFHszPxsqMoV2cDFxU9QkOZcfP6qoTayyBTjtlEJXYuPLBS0K5vrrbtHARzeP DA==
Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2054.outbound.protection.outlook.com [104.47.36.54]) by mx0b-00273201.pphosted.com with ESMTP id 2v7kv2tnhp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 25 Sep 2019 12:11:15 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d2qBSuOCdt2xzSw5Ni333AsB8WnePIOZ702dNLI4biBhXvoBAGMjCwD6kJnLQnsomotNT6dewc2AfOei2HbPLc2WJWCsKhvUFdpF2irivrgi9e7GeGx8gkxHh/9sH5JJcQirWNuavIK9sd7G050gETAU5h/IhnEjlQw6fkHFRP7oE0ob8vuaKPArcGvEhf+TrSpWHxp5dQ/oRQFHzB/boxy4jhmCwkb5Co+1O66z/h/7VnUbEThqMD0Zvylz5wt9KlYmYBEKsKzSyaSZQC7pDB7khZAHwCfcYz53edkUnt/C2vbVf0UiDJJbVbf0sw1CN8TJX5J9ESyMqYFlaV/kwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=19qIpN2313AytDBW9NyviGSS7dM0HC3rmeZ0Hg1ywUc=; b=M9oiF5B6nvg1i4uxi7j2rOm6oztHbcd38iftalIK1bjVl27Bd4SLQpc9GNApXsDxV/cWIGDwx8lBuKds2G5wvvzUrEyKHaEhTaBUDLlFKd0XJQFUDBzc4Z1wZkCZ/eLAZ2HqCWOGQ0M7Ie1XCHQH7yXEl+ukMThL5IivwQn205vuXQitlFJl5D/SlE74CmK7YTavGbpLtCVfgk0xFP4oaM1kRyMr9S2AQxaPoYLC96ZWTmMuDZdN4KL2+3JgNesJmwragWMck1KKm4f/zaXZh+Hdn6uxgQbktKVSOxCfJgfeRZ4U55dLX5nQnoS68/RVVaZVAlFbSI7G8qQZQDBJ6g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.242.12) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
Received: from BL0PR05CA0023.namprd05.prod.outlook.com (2603:10b6:208:91::33) by MN2PR05MB7086.namprd05.prod.outlook.com (2603:10b6:208:193::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.11; Wed, 25 Sep 2019 19:11:12 +0000
Received: from BY2NAM05FT005.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e52::206) by BL0PR05CA0023.outlook.office365.com (2603:10b6:208:91::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.11 via Frontend Transport; Wed, 25 Sep 2019 19:11:12 +0000
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.242.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.242.12) by BY2NAM05FT005.mail.protection.outlook.com (10.152.100.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2305.15 via Frontend Transport; Wed, 25 Sep 2019 19:11:12 +0000
Received: from P-EXBEND-EQX-02.jnpr.net (10.104.8.53) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 25 Sep 2019 12:11:11 -0700
Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXBEND-EQX-02.jnpr.net (10.104.8.53) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 25 Sep 2019 12:11:11 -0700
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Wed, 25 Sep 2019 12:11:11 -0700
Received: from contrail-ubm16-mdb.svec1.juniper.net ([10.163.18.199]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id x8PJB9KQ012555; Wed, 25 Sep 2019 12:11:10 -0700 (envelope-from mdb@juniper.net)
To: Jim Schaad <ietf@augustcellars.com>
CC: David Black <David.Black@dell.com>, <saag@ietf.org>
In-Reply-To: <01ae01d573c7$97de44b0$c79ace10$@augustcellars.com>
References: <9641f69d-0ffb-1c1d-7fb6-98ef4a54ad2c@redhat.com> <1569087342890.52733@cs.auckland.ac.nz> <4354cf7e-74f2-d36c-5fa0-587a2118a507@redhat.com>, <CE03DB3D7B45C245BCA0D243277949363070E288@MX307CL04.corp.emc.com> <1569336830344.45369@cs.auckland.ac.nz> <CE03DB3D7B45C245BCA0D2432779493630711EBF@MX307CL04.corp.emc.com> <01ae01d573c7$97de44b0$c79ace10$@augustcellars.com>
Comments: In-reply-to: Jim Schaad <ietf@augustcellars.com> message dated "Wed, 25 Sep 2019 10:35:13 -0700."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <26765.1569438669.1@contrail-ubm16-mdb.svec1.juniper.net>
Date: Wed, 25 Sep 2019 12:11:09 -0700
Message-ID: <26766.1569438669@contrail-ubm16-mdb.svec1.juniper.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.242.12; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(4636009)(376002)(396003)(346002)(39860400002)(136003)(199004)(189003)(186003)(478600001)(6916009)(46406003)(97876018)(76130400001)(81156014)(14444005)(8676002)(81166006)(8936002)(23726003)(5660300002)(76176011)(70206006)(97756001)(47776003)(305945005)(4326008)(126002)(26005)(316002)(11346002)(16586007)(4744005)(2906002)(336012)(476003)(426003)(70586007)(446003)(54906003)(486006)(86362001)(7696005)(356004)(26826003)(6246003)(117636001)(50466002)(229853002)(62816006); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR05MB7086; H:P-EXFEND-EQX-01.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 04996dd2-054f-4347-3245-08d741ec2127
X-MS-TrafficTypeDiagnostic: MN2PR05MB7086:
X-Microsoft-Antispam-PRVS: <MN2PR05MB7086315A08B3794B6486601BBF870@MN2PR05MB7086.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:7219;
X-Forefront-PRVS: 01713B2841
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: LKw8UNYPoSDAX4XzEJi+QKdUxNUowYP3b+thiGUZyv6ffJBl1yh9845l5O9AKo458y82B77bKe/RFctMnqHlaNV2BfpbhkYcotoeiRwVeSc4dIrfI4/DbHiGPeqKIm7UBtepUZvJipM7hoaZ06fMIyS3c2fwxJ5HiGgFLpEWkQCBRluVJHIEqD7Yad8oU9oTmbyBRSljt4i0V8HBhO6pPBaddw+BwD6/gi1k+Qbtdq84djsB/rS2bBo43SBczlkoocjMKi8pcCPEyG7pZ4dtwDtSlKVBmbYaPS3ikU9tOTjFBTuvNdwJabAeEm3DEAbvs8QGHmZBYsO7qD0HUl5Q7/rXwy9ASfRcNdqlCTurL8+oYrIVjgd12cvFRBGrTMDY4j3kgei+kxDjyeBY5lga2WnKZmYU1mWQAOzQOVD3nu8=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Sep 2019 19:11:12.0278 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 04996dd2-054f-4347-3245-08d741ec2127
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.242.12]; Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB7086
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-09-25_08:2019-09-25,2019-09-25 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 suspectscore=1 mlxlogscore=472 bulkscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 adultscore=0 clxscore=1011 malwarescore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1909250160
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/4LRitN1IFI5sNTzPVzt4cZAnR-Q>
Subject: Re: [saag] Improving the CHAP protocol
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2019 19:11:29 -0000

Jim Schaad <ietf@augustcellars.com>; writes:

> If you do that, I don't know if you want SHA3-256 or SHAKE. SHAKE
> seems to be used more from what I have seen so far.

I think SHAKE256 is the better entry in my opinion if you want something
for the future.

I believe you will find implementations in popular crypto libraries
(provided in alphabetical order) such as Bouncy Castle, Crypto++,
Libgcrypt, and OpenSSL.

	-- Mark