rfc2831bis issues
Hallvard B Furuseth <h.b.furuseth@usit.uio.no> Tue, 14 October 2003 20:41 UTC
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id h9EKfcI7064250 for <ietf-sasl-bks@above.proper.com>; Tue, 14 Oct 2003 13:41:38 -0700 (PDT) (envelope-from owner-ietf-sasl@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id h9EKfcsS064249 for ietf-sasl-bks; Tue, 14 Oct 2003 13:41:38 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f
Received: from pat.uio.no (IDENT:7411@pat.uio.no [129.240.130.16]) by above.proper.com (8.12.10/8.12.8) with ESMTP id h9EKfaI7064242 for <ietf-sasl@imc.org>; Tue, 14 Oct 2003 13:41:37 -0700 (PDT) (envelope-from hbf@bombur.uio.no)
Received: from mail-mx2.uio.no ([129.240.10.30]) by pat.uio.no with esmtp (Exim 4.20) id 1A9Vz5-0007Y2-J3 for ietf-sasl@imc.org; Tue, 14 Oct 2003 22:41:35 +0200
Received: from bombur.uio.no ([129.240.186.42]) by mail-mx2.uio.no with esmtp (Exim 4.14) id 1A9Vz4-0006b5-5H; Tue, 14 Oct 2003 22:41:34 +0200
Received: from hbf by bombur.uio.no with local (Exim 2.12 #7) id 1A9Vz3-00041y-00; Tue, 14 Oct 2003 22:41:33 +0200
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Message-Id: <HBF.20031014t6sc@bombur.uio.no>
To: ietf-sasl@imc.org
Subject: rfc2831bis issues
Date: Tue, 14 Oct 2003 22:41:33 +0200
X-MailScanner-Information: This message has been scanned for viruses/spam. Contact postmaster@uio.no if you have questions about this scanning.
X-UiO-MailScanner: No virus found
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Here are various editorial and non-editorial comments for
draft-ietf-sasl-rfc2831bis-02.txt.
> Table of Contents
> 3.8 CBC MODE ATTACKS.............................................
Missing page number.
> 1.1 Conventions and Notation
> This specification uses the same ABNF notation and lexical
> conventions as HTTP/1.1 specification; see section 7.
...as well as some named rules defined there (section 7.2).
> The value of a quoted string constant as an octet string does not
> include any terminating null character
...which the C language adds.
[For readers who don't know C, if any.]
> 2.1.1 Step One
>
> The server starts by sending a challenge.
How does it know that it should do that?
> nonce
> Note
> that since the string is passed as a quoted string, the
> double-quote
and backslash?
> character is not allowed unless escaped (see section
> 7.2).
I think this applies to other quoted strings than the nonce.
> server_maxbuf ("maximal ciphertext buffer size")
> Let call "maximal cleartext buffer size" (or "maximal sender
> size") the maximal size of a cleartext buffer that, after being
"Let call"? Should be "Call", or "Let .... be", I think.
> charset
> This directive, if present, specifies that the server supports
> UTF-8 [UTF-8] encoding for the username, realm and password. If
> present, the username, realm and password are in Unicode, prepared
> using the "SASLPrep" profile [SASLPrep] of the "stringprep"
> algorithm [StringPrep] and than encoded as UTF-8 [UTF-8]. If not
> present, the username, realm and password MUST be encoded in ISO
> 8859-1 [ISO-8859] (of which US-ASCII [USASCII] is a subset).
There is no username and password sent by the server. Do you mean the
_client_ MUST send them in UTF-8 if "charset" is given by the server?
> cipher-opts
> "qop-options" directive, in which case the "3des" cipher is
> mandatory-to-implement.
I suggest you remove the "-"s in mandatory-to-implement.
> 2.1.2 Step Two
> digest-uri
> Indicates the principal name of the service with which the client
> wishes to connect, formed from the serv-type, host, and serv-name.
> For example, the FTP service on "ftp.example.com" would have a
> "digest-uri" value of "ftp/ftp.example.com"; the SMTP server from
> the example above would have a "digest-uri" value of
> "SMTP/mail3.example.com/example.com".
>
> Servers SHOULD check that the supplied value is correct. This will
> detect accidental connection to the incorrect server, as well as some
> redirection attacks. It is also so that clients will be trained to
> provide values that will work with implementations that use a shared
> back-end authentication service that can provide server
> authentication.
>
> The serv-type component should match the service being offered. The
> host component should match one of the host names of the host on
> which the service is running, or it's IP address. Servers SHOULD NOT
> normally support the IP address form, because server authentication
> by IP address is not very useful; they should only do so if the DNS
> is unavailable or unreliable. The serv-name component should match
> one of the service's configured service names.
>
> This directive may appear at most once; if multiple instances are
> present, the client should abort the authentication exchange.
>
> Note: In the HTTP use of Digest authentication, the digest-uri is the
> URI (usually a URL) of the resource requested -- hence the name of
> the directive.
Is this entire section about digest-uri? If so, most of it should be
indented.
> authzid
> The server SHOULD verify the correctness of an authzid as
> specified by the corresponding SASL protocol profile.
Which corresponding SASL profile?
> 2.2 Subsequent Authentication
>
> If the client has previously authenticated to the server, and
> remembers the values of username, realm, nonce, nonce-count, cnonce,
^^^^^^^^
> and qop that it used in that authentication, and the SASL profile for
> a protocol permits an initial client response, then it MAY perform
> "subsequent authentication", as defined in this section.
What's the point of authenticating again with the same username? Auth
with a _different_ username would be more interesting.
> 2.2.2 Step Two
> If the response is valid, the server MAY choose to deem that
> authentication has succeeded. However, if it has been too long since
> the previous authentication, or for any o including the next
> subsequent authentication, between the client and the server MUST be
> integrity protected.
I don't understand the text starting with "or from any o".
> Using as a base session key the value of H(A1)
> as defined above
need a "," here
> Upon receipt, MAC(Ki, SeqNum, msg) is computed and compared with the
> received value; the message is discarded if they differ. The
> receiver's sequence counter is incremented if they match.
Doesn't the server send a response? How does the client know that the
authentication is completed?
> 2.4 Confidentiality Protection
>
> If the server sent a "cipher-opts" directive and the client responded
> with a "cipher" directive, then subsequent messages between the
> client and the server MUST be confidentiality protected.
What is confidentiality protection?
> The IV used to send/receive the initial buffer
You might say "Initialization Vector (IV)" again here, it's been a while
since you mentined what an IV is.
> SEAL(Ki, Kc, SeqNum, msg) =
> {CIPHER(Kc, {msg, pad, HMAC(Ki, {SeqNum, msg})[0..9]}), 0x0001,
> SeqNum}
SEAL? That is never used in this document.
> 5.1 Normative references
> [RFC 2222] Myers, J., "Simple Authentication and Security Layer
> (SASL)", RFC 2222, October 1997.
Should be [SASL] draft-ietf-sasl-rfc2222bis-02.txt.
> [Unicode] The Unicode Consortium, "The Unicode Standard, Version
Indent "The".
> [UTF-8] Yergeau, "UTF-8, a transformation format of ISO 10646", RFC
> 2279, Janyary 1998.
Indent "Yergeau".
> [RFC 2732] Hinden, R., Carpenter, B., Masinter, L., "Format for
Unindent "Hinden".
> [FIPS] National Institute of Standards and Technology, "DES Modes of
Indent "National".
> [AES] Daemen, J., Rijmen, V., "The Rijndael Block Cipher",
Indent "Daemen".
> 5.2 Informative references
> [MD5] Kaliski, B.,Robshaw, M., "Message Authentication with MD5",
Indent "Kaliski".
> [TLS-CBC] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
Indent "Moeller".
> 7.1 Augmented BNF
Since <"> means to enclose a literal, you might replace other <">s with
<'>s in this section. E.g.
> rule1 | rule2
> Elements separated by a bar ("|") are alternatives, e.g., "yes |
> no" will accept yes or no.
Elements separated by a bar ('|') are alternatives, e.g., 'yes |
no' will accept yes or no.
> #rule
> ( *LWS element *( *LWS "," *LWS element ))
Should this really be asymmetric, or should it be
( element *( *LWS "," *LWS element ))
or
( *LWS element *( *LWS "," *LWS element ) *LWS )
?
> 7.2 Basic Rules
> OCTET = <any 8-bit character>
s/character/byte/, I think. A byte in a multi-byte UTF-8 character
is not normally considered a character.
> 8 Sample Code
> for (scan = base; scan < end; ++scan) {
> if (*scan > 0xC3) break; /* abort if outside 8859-1 */
> if (*scan >= 0xC0 && *scan <= 0xC3) {
> if (++scan == end || *scan < 0x80 || *scan > 0xBF)
> break;
/*
* Handle invalid UTF-8-like sequences, e.g. '\0'
* encoded as "\xC0\x80". Accepting such sequences
* is a security risk, according to [UTF-8].
*/
if (*scan < 0xC2)
return an error or something;
Error return also requires the return type of the function to be
changed, and a 'return success' at the end. Maybe another way is to
simply not translate invalid UTF-8 strings to iso8859-1.
This should also be discussed in the section which says that UTF-8
should be converted to iso8859-1 when possible.
> }
> }
--
Hallvard
- rfc2831bis issues Hallvard B Furuseth
- Re: rfc2831bis issues Alexey Melnikov
- Re: rfc2831bis issues Hallvard B Furuseth
- Re: rfc2831bis issues Alexey Melnikov
- Re: rfc2831bis issues Hallvard B Furuseth
- Re: rfc2831bis issues Alexey Melnikov