Re: new milestones for charter update
Alexey Melnikov <alexey.melnikov@isode.com> Thu, 20 December 2007 20:52 UTC
Return-path: <owner-ietf-sasl@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J5SNa-00081h-Nr for sasl-archive-Zoh8yoh9@lists.ietf.org; Thu, 20 Dec 2007 15:52:30 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J5SNZ-0003GO-6m for sasl-archive-Zoh8yoh9@lists.ietf.org; Thu, 20 Dec 2007 15:52:30 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKKhrZw055515 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 13:43:53 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKKhrN8055514; Thu, 20 Dec 2007 13:43:53 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKKhq9g055508 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 13:43:53 -0700 (MST) (envelope-from alexey.melnikov@isode.com)
Received: from [172.16.1.99] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <R2rUBAAMlpmU@rufus.isode.com>; Thu, 20 Dec 2007 20:43:49 +0000
Message-ID: <476AD3F5.9020400@isode.com>
Date: Thu, 20 Dec 2007 20:43:33 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Tom Yu <tlyu@MIT.EDU>
CC: ietf-sasl@imc.org
Subject: Re: new milestones for charter update
References: <ldvfxxzoouv.fsf@cathode-dark-space.mit.edu>
In-Reply-To: <ldvfxxzoouv.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464
Tom Yu wrote: >These are milestones from the proposed charter update, modified to be >about four months later. In about a week, if there are no objections, >I will submit the proposed charter to the IESG. > >Done initial I-D for DIGEST-MD5 to Historic >Done WGLC I-D for DIGEST-MD5 to Historic >Feb 08 initial impl. report questionnaire >Feb 08 initial RFC4422bis >Feb 08 initial I-D for DIGEST-MD5 successor >Feb 08 DIGEST-MD5 to Historic I-D to IESG > > This is Ok with me considering Sam's paternity leave and my business in the Lemonade WG. But I would really like to have more or less solid SCRAM document before we obsolete DIGEST-MD5. >Mar 08 send impl. report questionnaire >Apr 08 compile impl. questionnaire responses >Jun 08 WGLC RFC4422bis >Jun 08 WGLC DIGEST-MD5 successor >Jul 08 discuss impl. questionnaire responses >Aug 08 final impl. report >Aug 08 RFC4422bis to IESG >Aug 08 DIGEST-MD5 successor to IESG > > Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKKhrZw055515 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 13:43:53 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKKhrN8055514; Thu, 20 Dec 2007 13:43:53 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKKhq9g055508 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 13:43:53 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [172.16.1.99] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <R2rUBAAMlpmU@rufus.isode.com>; Thu, 20 Dec 2007 20:43:49 +0000 Message-ID: <476AD3F5.9020400@isode.com> Date: Thu, 20 Dec 2007 20:43:33 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Tom Yu <tlyu@MIT.EDU> CC: ietf-sasl@imc.org Subject: Re: new milestones for charter update References: <ldvfxxzoouv.fsf@cathode-dark-space.mit.edu> In-Reply-To: <ldvfxxzoouv.fsf@cathode-dark-space.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Tom Yu wrote: >These are milestones from the proposed charter update, modified to be >about four months later. In about a week, if there are no objections, >I will submit the proposed charter to the IESG. > >Done initial I-D for DIGEST-MD5 to Historic >Done WGLC I-D for DIGEST-MD5 to Historic >Feb 08 initial impl. report questionnaire >Feb 08 initial RFC4422bis >Feb 08 initial I-D for DIGEST-MD5 successor >Feb 08 DIGEST-MD5 to Historic I-D to IESG > > This is Ok with me considering Sam's paternity leave and my business in the Lemonade WG. But I would really like to have more or less solid SCRAM document before we obsolete DIGEST-MD5. >Mar 08 send impl. report questionnaire >Apr 08 compile impl. questionnaire responses >Jun 08 WGLC RFC4422bis >Jun 08 WGLC DIGEST-MD5 successor >Jul 08 discuss impl. questionnaire responses >Aug 08 final impl. report >Aug 08 RFC4422bis to IESG >Aug 08 DIGEST-MD5 successor to IESG > > Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKGt7w0035551 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 09:55:07 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKGt7Gx035550; Thu, 20 Dec 2007 09:55:07 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-3.sun.com (brmea-mail-3.Sun.COM [192.18.98.34]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKGt4Z8035541 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 09:55:07 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id lBKGt4R1022911 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 16:55:04 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id lBKGt4NX053290 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 09:55:04 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id lBKGt3MR020521; Thu, 20 Dec 2007 10:55:03 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id lBKGt3qT020520; Thu, 20 Dec 2007 10:55:03 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Thu, 20 Dec 2007 10:55:03 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org>, ietf-sasl@imc.org Subject: Re: What am I waiting on for gs2? Message-ID: <20071220165503.GK12093@Sun.COM> Mail-Followup-To: Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org>, ietf-sasl@imc.org References: <tslir3njs54.fsf@mit.edu> <87tzn6lcw9.fsf@mocca.josefsson.org> <tslprxufnqk.fsf@mit.edu> <tslk5o04vw3.fsf@mit.edu> <87bq8ltq45.fsf@mocca.josefsson.org> <tsld4t1iero.fsf@mit.edu> <20071220155935.GV14367@Sun.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071220155935.GV14367@Sun.COM> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Thu, Dec 20, 2007 at 09:59:35AM -0600, Nicolas Williams wrote: > I'd rather see that bit in the client/server's second wrap token, yes. We almost already have it. Since the last wrap token carries the selected security layer, and that selection is derived from channel binding success/failure. Of course, if a given mechanism does not support confidentiality protection but the underlying channel does and channel binding failes then we need a way to signal this. So, yes, I think we need one more bit in the client/server's last wrap token for this. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKGqXMs035397 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 09:52:33 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKGqX4q035396; Thu, 20 Dec 2007 09:52:33 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa.extundo.com (yxa.extundo.com [83.241.177.38]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKGqUPn035384 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 09:52:32 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id lBKGqIaa015174 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 17:52:19 +0100 From: Simon Josefsson <simon@josefsson.org> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-sasl@imc.org Subject: Re: What am I waiting on for gs2? In-Reply-To: <tsld4t1iero.fsf@mit.edu> (Sam Hartman's message of "Thu, 20 Dec 2007 10:09:47 -0500") References: <tslir3njs54.fsf@mit.edu> <87tzn6lcw9.fsf@mocca.josefsson.org> <tslprxufnqk.fsf@mit.edu> <tslk5o04vw3.fsf@mit.edu> <87bq8ltq45.fsf@mocca.josefsson.org> <tsld4t1iero.fsf@mit.edu> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:071220:ietf-sasl@imc.org::btObSkG8QJfLwCo3:afj X-Hashcash: 1:22:071220:hartmans-ietf@mit.edu::6dkYP0wSo8lQo3nf:PxvI Date: Thu, 20 Dec 2007 17:52:18 +0100 Message-ID: <87hcidia0t.fsf@mocca.josefsson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Sam Hartman <hartmans-ietf@mit.edu> writes: >>>>>> "Simon" == Simon Josefsson <simon@josefsson.org> writes: > > >> The channel binding spec requires applications know about > >> channel binding failure. You added text passing this > >> requirement along, but I don't see how your protocol allows the > >> client to detect channel binding failure. > >> > >> We have c->m->s where m is a passive man in the middle that > >> joins the TLS stream. So, the channel bindings are different. > >> C sends the gss_wrap to s using the same qop for channel > >> binding and non-channel binding. How does s indicate to c that > >> the channel binding from s's standpoint is not the same as what > >> it received from c? > >> > >> I think you need a bit (possibly as a flag bit xored in with > >> the qop) to indicate this. > > Simon> FYI, I had interpreted the requirement in RFC 5056: > > Simon> o Authentication frameworks and mechanisms that support > Simon> channel binding MUST communicate channel binding failure to > Simon> applications. > > Simon> to mean that implementations must let the local > Simon> applications know about the situation. That allows them to > Simon> abort the connection depending on local policy. I didn't > Simon> read that to mean that protocols are required to notify the > Simon> other side of the situation. The latter requirement is > Simon> stronger than the former. I must admit that I don't see > Simon> why the stronger requirement is a useful one. > > Hmm. You may be right that I was reading more into RFC 5056 than is > actually there. In GS2 I'd prefer that we do indicate channel binding > failure back because we don't generally want people to abort at least > if they are willing to use a security layer instead. Right. I think that was already possible, given: Note that "client_qop" and "server_qop" MAY indicate a quality of protection that was not offered by the server and client, respectively. This SHOULD only be used when the server or client (respectively) would otherwise fail the entire authentication exchange. The server/client that receives a "client_qop"/ "server_qop" MUST verify that it corresponds to an acceptable security level. When deciding whether to permit this or not, it can be useful to know whether the other side made this choice because of a failed QOP or not. That isn't possible with -09, and your suggestion fixes it. It is not possible to verify the chosen QOP against *_qops and *_cbqops unless you know whether channel binding negotiation was successful or not. In -09, you could only verify the chosen QOP against the logical OR between *_qops and *_cbqops, which is sub-optimal. Your suggestion fixes this. > However if the WG doesn't have consensus behind this change then it > should be backed out. I support the change below. Others? /Simon --- 1/draft-ietf-sasl-gs2-09.txt 2007-12-20 16:30:00.000000000 +0100 +++ 2/draft-ietf-sasl-gs2.txt 2007-12-20 16:30:00.000000000 +0100 @@ -564,25 +564,25 @@ channel bindings do not match. Client and servers MUST set the "chan_binding" parameter in the calls to GSS_Init_sec_context and GSS_Accept_sec_context, respectively, to NULL. Implementations SHOULD set the "client_cbqops" and "server_cbqops" to no security layer and instead depend on the session security afforded by the bound-in channel. - In order to accomodate the requirement in [16] "Authentication + In order to accomodate the requirement in [8] "Authentication frameworks and mechanisms that support channel binding MUST communicate channel binding failure to applications" implementations - MUST provide a way to communicate channel binding failures to - applications. + assert a bit in the security layer bitmask (see Section 9) on + negotiation failures. Use of no SASL security layers in combination with channel binding should provide better performance than using SASL security layers over secure channels, and better security characteristics than using no SASL security layers over secure channels without channel binding. For more discussions of channel bindings, and the syntax of the channel binding data for various security protocols, see [8]. For easy reference, the channel binding format used for The Transport Layer Security (TLS) Protocol [14] is specified in [16]. @@ -749,21 +749,22 @@ o GSS_Unwrap() returns anything other than GSS_S_COMPLETE. (There can't be supplementary status codes in GS2 at this point, so any indications of out of order processing or replays is fatal.) o The token returned from GSS_Unwrap fail to parse correctly (e.g., too short, invalid maximum buffer size) as the expected Wrap token. o Local policy reject the attempt. For example, client and server - can't agree on qop proposal. + can't agree on qop proposal, or channel binding negotiation + failed. o (server-side) Authorization of client principal (i.e., src_name in GSS_Acecpt_sec_context) to requested authzid failed. 8. GSS-API Parameters The implementation MAY set any GSSAPI flags or arguments not mentioned in this specification as is necessary for the implementation to enforce its security policy. @@ -778,63 +779,80 @@ layer. Note that "client_qop" and "server_qop" MAY indicate a quality of protection that was not offered by the server and client, respectively. This SHOULD only be used when the server or client (respectively) would otherwise fail the entire authentication exchange. The server/client that receives a "client_qop"/ "server_qop" MUST verify that it corresponds to an acceptable security level. + Whether the channel binding negotiation is successful or not may + influence the security layer selection. The most significant bit is + used to signal failed channel binding negotiation. Implementations + MUST set the bit if channel bindings were provided from the other end + and a local channel binding is absent or not equal. Implementation + MUST clear the bit otherwise. + The security layers and their corresponding bit-masks are as follows: - 1 No security layer + 1 No security layer. 2 Integrity protection. - Sender calls GSS_Wrap with conf_flag set to FALSE + Sender calls GSS_Wrap with conf_flag set to FALSE. 4 Confidentiality protection. - Sender calls GSS_Wrap with conf_flag set to TRUE + Sender calls GSS_Wrap with conf_flag set to TRUE. + 8-64 Reserved. + 128 Channel binding negotiation failed. - Other bit-masks may be defined in the future; bits which are not - understood MUST be negotiated off. + The bit-masks 8-64 are reserved and may be defined in the future; + bits which are not understood MUST be negotiated off. When decoding any received data with GSS_Unwrap the major_status other than the GSS_S_COMPLETE MUST be treated as a fatal error. For integrity and confidentiality protection, GS2 negotiates the maximum size of the output_message to send. Implementations can use the GSS_Wrap_size_limit call to determine the corresponding maximum size input_message. 9.1. Examples When no security layer is negotiated the octet will encode an integer 1 as follows. - 0 1 2 3 4 5 6 7 + 7 6 5 4 3 2 1 0 +-+-+-+-+-+-+-+-+ |0|0|0|0|0|0|0|1| +-+-+-+-+-+-+-+-+ When integrity is negotiated the octet will encode an integer 2 as follows. - 0 1 2 3 4 5 6 7 + 7 6 5 4 3 2 1 0 +-+-+-+-+-+-+-+-+ |0|0|0|0|0|0|1|0| +-+-+-+-+-+-+-+-+ - When confidentiality is negotiated the octet will encode an integer 4 - as follows. + When confidentiality is negotiated, and channel binding negotiation + failed, the octet will encode an integer 128+4=132 as follows. - 0 1 2 3 4 5 6 7 + 7 6 5 4 3 2 1 0 +-+-+-+-+-+-+-+-+ - |0|0|0|0|0|1|0|0| + |1|0|0|0|0|1|0|0| + +-+-+-+-+-+-+-+-+ + + When a bitmask that indicates that all security layers are + acceptable, the octet will encode an integer 1+2+4=7 as follows. + + 7 6 5 4 3 2 1 0 + +-+-+-+-+-+-+-+-+ + |0|0|0|0|0|1|1|1| +-+-+-+-+-+-+-+-+ 10. Non-integrity capable GSS-API mechanisms Mechanisms that do not support integrity can be used with GS2, but some security features cannot be provided, in particular including channel bindings, security layers, and integrity protection of the authorization identity. Channel bindings and security layers MUST NOT be negotiated when the @@ -955,20 +973,23 @@ GSS-API mechanism widely on the Internet that do not support integrity. Because the negotiation of a particular GSS-API mechanism may be done in the clear, it is important for the GSS-API mechanisms to be designed such that an active attacker cannot obtain an authentication with weaker security properties by modifying the challenges and responses. This is a generic design critera for the GSS-API mechanisms used under GS2. + GS2 permits channel binding negotiation to fail. Implementation may + have a local policy to reject authentication attempts in this case. + When a server or client supports multiple GSS-API mechanisms, each of which has a different security strength, it is possible for an active attacker to cause a party to use the least secure mechanism supported. This problem and a solution is discussed in section 6.1.2 of [2], but some additional methods to mitigate the problem include: 1. Use of an integrity protected transport, such as TLS [14]. To protect against certain tunnel attacks [18], channel bindings need to be used. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKGDBmq031682 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 09:13:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKGDB00031681; Thu, 20 Dec 2007 09:13:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-2.sun.com (brmea-mail-2.Sun.COM [192.18.98.43]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKGDBM2031675 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 09:13:11 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-2.sun.com (8.13.6+Sun/8.12.9) with ESMTP id lBKGDAtL025807 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 16:13:11 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id lBKGDAuH016422 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 09:13:10 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id lBKGDA6T020484; Thu, 20 Dec 2007 10:13:10 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id lBKGDAEp020483; Thu, 20 Dec 2007 10:13:10 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Thu, 20 Dec 2007 10:13:10 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-sasl@imc.org Subject: Re: SASL mechanisms via GSS-API and round trips Message-ID: <20071220161309.GY14367@Sun.COM> Mail-Followup-To: Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org References: <tsllk7piff3.fsf@mit.edu> <20071220152649.GQ14367@Sun.COM> <tsly7bpgysu.fsf@mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <tsly7bpgysu.fsf@mit.edu> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Thu, Dec 20, 2007 at 10:40:01AM -0500, Sam Hartman wrote: > Note, I'm only saying we should require prot_ready for new mechanisms > that people are going to want to implement as sasl native, not for all > new mechanisms. Ah, I must have misread -- I thought you wanted to make this requirement for all GSS mechanisms. I think I'm OK with making that requirement only of all SASL/GS2 mechanisms. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKFxbg1030502 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 08:59:37 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKFxbXG030501; Thu, 20 Dec 2007 08:59:37 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKFxaYB030493 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 08:59:37 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id lBKFxaAL007764 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 15:59:36 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id lBKFxZQL007630 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 08:59:35 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id lBKFxZ7Z020456; Thu, 20 Dec 2007 09:59:35 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id lBKFxZ3j020455; Thu, 20 Dec 2007 09:59:35 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Thu, 20 Dec 2007 09:59:35 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: Simon Josefsson <simon@josefsson.org>, ietf-sasl@imc.org Subject: Re: What am I waiting on for gs2? Message-ID: <20071220155935.GV14367@Sun.COM> Mail-Followup-To: Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org>, ietf-sasl@imc.org References: <tslir3njs54.fsf@mit.edu> <87tzn6lcw9.fsf@mocca.josefsson.org> <tslprxufnqk.fsf@mit.edu> <tslk5o04vw3.fsf@mit.edu> <87bq8ltq45.fsf@mocca.josefsson.org> <tsld4t1iero.fsf@mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <tsld4t1iero.fsf@mit.edu> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Thu, Dec 20, 2007 at 10:09:47AM -0500, Sam Hartman wrote: > > >>>>> "Simon" == Simon Josefsson <simon@josefsson.org> writes: > > >> The channel binding spec requires applications know about > >> channel binding failure. You added text passing this > >> requirement along, but I don't see how your protocol allows the > >> client to detect channel binding failure. > >> > >> We have c->m->s where m is a passive man in the middle that > >> joins the TLS stream. So, the channel bindings are different. > >> C sends the gss_wrap to s using the same qop for channel > >> binding and non-channel binding. How does s indicate to c that > >> the channel binding from s's standpoint is not the same as what > >> it received from c? > >> > >> I think you need a bit (possibly as a flag bit xored in with > >> the qop) to indicate this. > > Simon> FYI, I had interpreted the requirement in RFC 5056: > > Simon> o Authentication frameworks and mechanisms that support > Simon> channel binding MUST communicate channel binding failure to > Simon> applications. > > Simon> to mean that implementations must let the local > Simon> applications know about the situation. That allows them to > Simon> abort the connection depending on local policy. I didn't > Simon> read that to mean that protocols are required to notify the > Simon> other side of the situation. The latter requirement is > Simon> stronger than the former. I must admit that I don't see > Simon> why the stronger requirement is a useful one. > > Hmm. You may be right that I was reading more into RFC 5056 than is > actually there. In GS2 I'd prefer that we do indicate channel binding > failure back because we don't generally want people to abort at least > if they are willing to use a security layer instead. > > However if the WG doesn't have consensus behind this change then it > should be backed out. I'd rather see that bit in the client/server's second wrap token, yes. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKFmwkn029672 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 08:48:58 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKFmw8n029671; Thu, 20 Dec 2007 08:48:58 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-2.sun.com (brmea-mail-2.Sun.COM [192.18.98.43]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKFmvd8029665 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 08:48:57 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-2.sun.com (8.13.6+Sun/8.12.9) with ESMTP id lBKFmv7q015232 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 15:48:57 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id lBKFmvnK001491 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 08:48:57 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id lBKFmufX020428; Thu, 20 Dec 2007 09:48:56 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id lBKFmuaQ020427; Thu, 20 Dec 2007 09:48:56 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Thu, 20 Dec 2007 09:48:56 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Simon Josefsson <simon@josefsson.org> Cc: Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org Subject: Re: What am I waiting on for gs2? Message-ID: <20071220154856.GS14367@Sun.COM> Mail-Followup-To: Simon Josefsson <simon@josefsson.org>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org References: <tslir3njs54.fsf@mit.edu> <87tzn6lcw9.fsf@mocca.josefsson.org> <tslprxufnqk.fsf@mit.edu> <tslk5o04vw3.fsf@mit.edu> <87bq8ltq45.fsf@mocca.josefsson.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87bq8ltq45.fsf@mocca.josefsson.org> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Thu, Dec 20, 2007 at 03:09:14PM +0100, Simon Josefsson wrote: > FYI, I had interpreted the requirement in RFC 5056: > > o Authentication frameworks and mechanisms that support channel > binding MUST communicate channel binding failure to applications. > > to mean that implementations must let the local applications know about > the situation. That allows them to abort the connection depending on > local policy. I didn't read that to mean that protocols are required to > notify the other side of the situation. The latter requirement is > stronger than the former. I must admit that I don't see why the > stronger requirement is a useful one. Your interpretation of that requirement is correct. The stronger requirement perhaps should have been included. I think Sam and I never settled the issue of the Kerberos V GSS mechanism's initiator not having any idea of whether the server checked or ignore channel bindings when the server returns and AP-REP token. Sam? Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKFe6W0029063 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 08:40:06 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKFe6NX029062; Thu, 20 Dec 2007 08:40:06 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKFe4gf029055 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 08:40:05 -0700 (MST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id B262F4815; Thu, 20 Dec 2007 10:40:01 -0500 (EST) From: Sam Hartman <hartmans-ietf@mit.edu> To: ietf-sasl@imc.org Subject: Re: SASL mechanisms via GSS-API and round trips References: <tsllk7piff3.fsf@mit.edu> <20071220152649.GQ14367@Sun.COM> Date: Thu, 20 Dec 2007 10:40:01 -0500 In-Reply-To: <20071220152649.GQ14367@Sun.COM> (Nicolas Williams's message of "Thu, 20 Dec 2007 09:26:50 -0600") Message-ID: <tsly7bpgysu.fsf@mit.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com> writes: Nicolas> Sam, GS2 takes adavantage of PROT_READY where available. No, GS2 implementations may take advantage of prot_ready where available but are not required to do so. Nicolas> Nicolas> I think that's enough. I don't think there's any need to Nicolas> require PROT_READY support of new mechanisms, though I Nicolas> would strongly recommend PROT_READY support where it is Nicolas> actually feasible (I can imagine mechanisms where Nicolas> PROT_READY couldn't be signalled before GSS_S_COMPLETE). I explained why I don't think this is enough. I'd appreciate an explanation of why I'm wrong. Note, I'm only saying we should require prot_ready for new mechanisms that people are going to want to implement as sasl native, not for all new mechanisms. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKFQqv5027500 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 08:26:52 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKFQqR7027499; Thu, 20 Dec 2007 08:26:52 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKFQoxM027493 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 08:26:51 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id lBKFQoJq001419 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 15:26:50 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id lBKFQosc053952 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 08:26:50 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id lBKFQo7P020409; Thu, 20 Dec 2007 09:26:50 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id lBKFQoQw020408; Thu, 20 Dec 2007 09:26:50 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Thu, 20 Dec 2007 09:26:50 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-sasl@imc.org Subject: Re: SASL mechanisms via GSS-API and round trips Message-ID: <20071220152649.GQ14367@Sun.COM> Mail-Followup-To: Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org References: <tsllk7piff3.fsf@mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <tsllk7piff3.fsf@mit.edu> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Sam, GS2 takes adavantage of PROT_READY where available. I think that's enough. I don't think there's any need to require PROT_READY support of new mechanisms, though I would strongly recommend PROT_READY support where it is actually feasible (I can imagine mechanisms where PROT_READY couldn't be signalled before GSS_S_COMPLETE). Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKFO9Tc027315 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 08:24:09 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKFO9s3027314; Thu, 20 Dec 2007 08:24:09 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKFO8JE027307 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 08:24:08 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id lBKFO8Vb027633 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 15:24:08 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id lBKFO7FH052504 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 08:24:07 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id lBKFO4HT020401; Thu, 20 Dec 2007 09:24:04 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id lBKFO3wd020400; Thu, 20 Dec 2007 09:24:03 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Thu, 20 Dec 2007 09:24:03 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-sasl@imc.org Subject: Re: Channel Binding and GSS-API mechanisms Message-ID: <20071220152403.GP14367@Sun.COM> Mail-Followup-To: Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org References: <tslprx1ig8s.fsf@mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <tslprx1ig8s.fsf@mit.edu> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Thu, Dec 20, 2007 at 09:37:55AM -0500, Sam Hartman wrote: Sam> First, if you have a channel binding that requires Sam> confidentiality for a channel that does not provide Sam> confidentiality you cannot use it with GS2. Honestly I don't Sam> consider this a big deal because I cannot think of any reason Sam> you'd define such a channel binding. It seems like such a bad Sam> idea I'd hope that the expert would decline the registration. If Sam> we do find a channel where this is the right solutionwe'll have Sam> some work to do. Correct. It's because such a thing would be so silly that this doesn't bother me in the least. Sam> The second problem is more concerning. The way GS2 handles Sam> channel bindings makes it a bit tricky for things that want to be Sam> both a SASL mechanism and a GSS-API mechanism. GS2 does not use Sam> the GSS-API binding facility. It instead uses a wrap token. So, Sam> you'll need to define a wrap token for your mechanism. Sam> However if your mechanism is going to support channel binding Sam> when it is used as a GSS-API mechanism, then it needs to also Sam> support channel bindings in the GSS-API token. Yes, this has bothered me before too, but I came to accept it as a result of the difference in channel binding failure semantics that we want for SASL vs. the GSS-API's. I suppose we could work on a GSS-API extension to make channel binding failure result in an output ret_flag rather than plain failure, then we could use GSS channel binding in GS2, say, but it turns out that there are lots of complexities there as well. The biggest problem with the GS2 approach is that we lose the opportunity to work the channel bindings into the mechanism's context tokens, where it makes the most sense. There was a discussion about this after most of you left the SASL jabber room. Sam> This complexity isn't a over-the wire complexity issue. It does Sam> not effect round trips. If you are only implementing the SASL Sam> mechanism there is not more work to do. Sam> However it makes the spec kind of complicated. I know. I wish it weren't so. I'll think a bit more about alternatives that don't merely shift the complexity elsewhere. Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKF9poO026008 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 08:09:51 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKF9pro026007; Thu, 20 Dec 2007 08:09:51 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKF9o8N025998 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 08:09:51 -0700 (MST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 02A514815; Thu, 20 Dec 2007 10:09:47 -0500 (EST) From: Sam Hartman <hartmans-ietf@mit.edu> To: Simon Josefsson <simon@josefsson.org> Cc: ietf-sasl@imc.org Subject: Re: What am I waiting on for gs2? References: <tslir3njs54.fsf@mit.edu> <87tzn6lcw9.fsf@mocca.josefsson.org> <tslprxufnqk.fsf@mit.edu> <tslk5o04vw3.fsf@mit.edu> <87bq8ltq45.fsf@mocca.josefsson.org> Date: Thu, 20 Dec 2007 10:09:47 -0500 In-Reply-To: <87bq8ltq45.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Thu, 20 Dec 2007 15:09:14 +0100") Message-ID: <tsld4t1iero.fsf@mit.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> >>>>> "Simon" == Simon Josefsson <simon@josefsson.org> writes: >> The channel binding spec requires applications know about >> channel binding failure. You added text passing this >> requirement along, but I don't see how your protocol allows the >> client to detect channel binding failure. >> >> We have c->m->s where m is a passive man in the middle that >> joins the TLS stream. So, the channel bindings are different. >> C sends the gss_wrap to s using the same qop for channel >> binding and non-channel binding. How does s indicate to c that >> the channel binding from s's standpoint is not the same as what >> it received from c? >> >> I think you need a bit (possibly as a flag bit xored in with >> the qop) to indicate this. Simon> FYI, I had interpreted the requirement in RFC 5056: Simon> o Authentication frameworks and mechanisms that support Simon> channel binding MUST communicate channel binding failure to Simon> applications. Simon> to mean that implementations must let the local Simon> applications know about the situation. That allows them to Simon> abort the connection depending on local policy. I didn't Simon> read that to mean that protocols are required to notify the Simon> other side of the situation. The latter requirement is Simon> stronger than the former. I must admit that I don't see Simon> why the stronger requirement is a useful one. Hmm. You may be right that I was reading more into RFC 5056 than is actually there. In GS2 I'd prefer that we do indicate channel binding failure back because we don't generally want people to abort at least if they are willing to use a security layer instead. However if the WG doesn't have consensus behind this change then it should be backed out. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKF532v025641 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 08:05:03 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKF531i025640; Thu, 20 Dec 2007 08:05:03 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKF51Kp025633 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 08:05:02 -0700 (MST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 8349A4815; Thu, 20 Dec 2007 10:04:58 -0500 (EST) From: Sam Hartman <hartmans-ietf@mit.edu> To: Simon Josefsson <simon@josefsson.org> Cc: ietf-sasl@imc.org Subject: Re: Channel Binding and GSS-API mechanisms References: <tslprx1ig8s.fsf@mit.edu> <87wsr9s9iu.fsf@mocca.josefsson.org> Date: Thu, 20 Dec 2007 10:04:58 -0500 In-Reply-To: <87wsr9s9iu.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Thu, 20 Dec 2007 15:52:57 +0100") Message-ID: <tslhcidiezp.fsf@mit.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> >>>>> "Simon" == Simon Josefsson <simon@josefsson.org> writes: Simon> Sam Hartman <hartmans-ietf@mit.edu> writes: >> Folks, a couple of odd consequences of how GS2 and channel >> binding interact came to me during the meeting and I want to >> make sure we're aware of them and agree they are OK. >> >> First, if you have a channel binding that requires >> confidentiality for a channel that does not provide >> confidentiality you cannot use it with GS2. Honestly I don't >> consider this a big deal because I cannot think of any reason >> you'd define such a channel binding. It seems like such a bad >> idea I'd hope that the expert would decline the registration. >> If we do find a channel where this is the right solutionwe'll >> have some work to do. Simon> There is a security consideration in GS2 about this: Simon> The channel binding is sent without privacy protection Simon> and knowledge of it is assumed to provide no advantage to Simon> an attacker. This is a property that has to be considered Simon> when specifying channel bindings for a security protocol Simon> that will be used with GS2. Simon> Is there anything else the document could say, or is this Simon> sufficient? No, I think the doc is fine. The question is whether the WG is OK with that consequence. My personal recommendation is no change in this area. >> The second problem is more concerning. The way GS2 handles >> channel bindings makes it a bit tricky for things that want to >> be both a SASL mechanism and a GSS-API mechanism. GS2 does not >> use the GSS-API binding facility. It instead uses a wrap >> token. So, you'll need to define a wrap token for your >> mechanism. Simon> I don't think that is required, see section 4.3.1 of GS2: Simon> 4.3.1. The GS2_Wrap function Simon> The GS2_Wrap function have two implementations, and Simon> which one is used depends on whether the negotiated GSS-API Simon> context supports per- message protection. When a context Simon> is successfully negotiated (i.e., when GSS_S_COMPLETE is Simon> returned from, for clients, GSS_Init_sec_context, or, for Simon> servers, GSS_Accept_sec_context) and the output variable Simon> integ_avail is FALSE, then GSS_Wrap cannot be used and Simon> instead we define GS2_Wrap to be the identity function. Simon> When integ_avail is negotiated TRUE, the GS2_Wrap is Simon> identical to calling the GSS_Wrap function with conf_flag Simon> set to FALSE and using the generated output_message as the Simon> output data. Simon> The rest of the document uses GS2_Wrap, not GSS_Wrap. You cannot use channel binding with contexts that do not have integ_avail. So, if you are going to design a SASL mechanism as a GSS-API mechanism and want channel binding to work, you must provide gss_wrap with integrity tokens. The GS2 document explains why we made that design decision. I understand and agree with that explanation. I just want to make sure the WG is aware of the consequences. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKEtmgU024752 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 07:55:48 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKEtmKN024751; Thu, 20 Dec 2007 07:55:48 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKEtlSo024735 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 07:55:47 -0700 (MST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 5D3114815; Thu, 20 Dec 2007 09:55:44 -0500 (EST) From: Sam Hartman <hartmans-ietf@mit.edu> To: ietf-sasl@imc.org Subject: SASL mechanisms via GSS-API and round trips Date: Thu, 20 Dec 2007 09:55:44 -0500 Message-ID: <tsllk7piff3.fsf@mit.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> One of the things I think we're going to need to do to make specifying mechanisms as GSS-API mechanisms acceptable to the apps community is to reduce options and implementation complexity. Unless we've screwed something up, I think we have the normal case of a client-first mechanism via GS2 working so that it will be the same number of packets without significant extra bytes as the same mechanism as a native SASL mechanism. However GS2 does not require prot_ready support and does not require optimal number of round trips. Let's take a simple challenge response mechanism c->s: {client_name , null} s->c: {server_nonce,null} c->s: {f(key,client_nonce,server_nonce), wrap(authz_id,cbdata)} s->c: {g(server_nonce, client_nonce), wrap(flags)} I'm talking about an idealized gs2 here; there's also goop to say that neither side wants a security layer in some of those packets. That's roughly what gs2 of a sasl mechanism would look like assuming that people are being optimal. I don't think doing a native non-gss-implementation that is wire compatible with that is hard. However if that native implementation talks to a real gss implementation you may get something like c->s: {client_name , null} s->c: {server_nonce,null} c->s: {f(key,client_nonce,server_nonce), null} s->c: {g(server_nonce, client_nonce), wrap(flags, cbdata) c->s: {null, wrap(flags,authzid)} I'd need to go back and look at the spec. IT may turn out that it can take an extra round trip if the wrap token from the server to the client is null and the client has to send first after all the context tokens are done. I don't think that is permitted though. It seems like supporting that interaction would significantly increase the control loop complexity of the native SASL mechanism. I bet that will be unacceptable to a lot of people. So, I think we're going to have to require that you use the optimal number of round trips. That's kind of complicated to do. Not all mechanisms specify whether they support prot_ready. I'm sort of imagining a requirement in GS2 that for GSS-API mechanisms that mandate prot_ready support,GS2 must take advantage of it. Then in anything we design expecting that it will be both a SASL mechanism without GSS code and is using the GS2 wire protocol we require prot_ready support in the mechanism. Put another way, we thread a requirement through a couple abstraction layers to say that you shouldn't be stupid. This does increase the minimum complexity of a generic GS2 mechanism. However I think it significantly saves on the complexity of wire-compatible native SASL mechanisms. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKErEWq024424 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 07:53:14 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKErEZD024423; Thu, 20 Dec 2007 07:53:14 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa.extundo.com (yxa.extundo.com [83.241.177.38]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKErBWG024417 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 07:53:12 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id lBKEqw7I012432 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 15:52:58 +0100 From: Simon Josefsson <simon@josefsson.org> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-sasl@imc.org Subject: Re: Channel Binding and GSS-API mechanisms References: <tslprx1ig8s.fsf@mit.edu> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:071220:hartmans-ietf@mit.edu::pjOA74ViwrKrbeXx:9rNV X-Hashcash: 1:22:071220:ietf-sasl@imc.org::iLm6ozMDenZdwkyB:jodO Date: Thu, 20 Dec 2007 15:52:57 +0100 In-Reply-To: <tslprx1ig8s.fsf@mit.edu> (Sam Hartman's message of "Thu, 20 Dec 2007 09:37:55 -0500") Message-ID: <87wsr9s9iu.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Sam Hartman <hartmans-ietf@mit.edu> writes: > Folks, a couple of odd consequences of how GS2 and channel binding > interact came to me during the meeting and I want to make sure we're > aware of them and agree they are OK. > > First, if you have a channel binding that requires confidentiality for > a channel that does not provide confidentiality you cannot use it with > GS2. Honestly I don't consider this a big deal because I cannot think > of any reason you'd define such a channel binding. It seems like such > a bad idea I'd hope that the expert would decline the registration. > If we do find a channel where this is the right solutionwe'll have > some work to do. There is a security consideration in GS2 about this: The channel binding is sent without privacy protection and knowledge of it is assumed to provide no advantage to an attacker. This is a property that has to be considered when specifying channel bindings for a security protocol that will be used with GS2. Is there anything else the document could say, or is this sufficient? > The second problem is more concerning. The way GS2 handles channel > bindings makes it a bit tricky for things that want to be both a SASL > mechanism and a GSS-API mechanism. GS2 does not use the GSS-API > binding facility. It instead uses a wrap token. So, you'll need to > define a wrap token for your mechanism. I don't think that is required, see section 4.3.1 of GS2: 4.3.1. The GS2_Wrap function The GS2_Wrap function have two implementations, and which one is used depends on whether the negotiated GSS-API context supports per- message protection. When a context is successfully negotiated (i.e., when GSS_S_COMPLETE is returned from, for clients, GSS_Init_sec_context, or, for servers, GSS_Accept_sec_context) and the output variable integ_avail is FALSE, then GSS_Wrap cannot be used and instead we define GS2_Wrap to be the identity function. When integ_avail is negotiated TRUE, the GS2_Wrap is identical to calling the GSS_Wrap function with conf_flag set to FALSE and using the generated output_message as the output data. The rest of the document uses GS2_Wrap, not GSS_Wrap. > However if your mechanism is going to support channel binding when it > is used as a GSS-API mechanism, then it needs to also support channel > bindings in the GSS-API token. > > This complexity isn't a over-the wire complexity issue. It does not > effect round trips. If you are only implementing the SASL mechanism > there is not more work to do. > > However it makes the spec kind of complicated. That may still be the case, though. /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKEhAgK023789 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 07:43:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKEhAmU023788; Thu, 20 Dec 2007 07:43:10 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa.extundo.com (yxa.extundo.com [83.241.177.38]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKEh7jV023779 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 07:43:09 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id lBKEgucQ010793 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 15:42:59 +0100 From: Simon Josefsson <simon@josefsson.org> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-sasl@imc.org Subject: Re: What am I waiting on for gs2? References: <tslir3njs54.fsf@mit.edu> <87tzn6lcw9.fsf@mocca.josefsson.org> <tslprxufnqk.fsf@mit.edu> <tslk5o04vw3.fsf@mit.edu> <87bq8ltq45.fsf@mocca.josefsson.org> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:071220:ietf-sasl@imc.org::Ii2qNdHjo+pU9jiC:68Lo X-Hashcash: 1:22:071220:hartmans-ietf@mit.edu::OHyGmtxUkhiIH3bh:ArBC Date: Thu, 20 Dec 2007 15:42:56 +0100 In-Reply-To: <87bq8ltq45.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Thu, 20 Dec 2007 15:09:14 +0100") Message-ID: <871w9htojz.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Simon Josefsson <simon@josefsson.org> writes: > + 7 Channel binding negotiation failed. That was incorrect. I've fixed this (same URL as before), and also fixed the bitmask examples to have the bit numbers in the reverse order. http://josefsson.org/sasl-gs2/draft-ietf-sasl-gs2.txt /Simon The security layers and their corresponding bit-masks are as follows: 1 No security layer. 2 Integrity protection. Sender calls GSS_Wrap with conf_flag set to FALSE. 4 Confidentiality protection. Sender calls GSS_Wrap with conf_flag set to TRUE. 8-64 Reserved. 128 Channel binding negotiation failed. ... When confidentiality is negotiated, and channel binding negotiation failed, the octet will encode an integer 128+4=132 as follows. 7 6 5 4 3 2 1 0 +-+-+-+-+-+-+-+-+ |1|0|0|0|0|1|0|0| +-+-+-+-+-+-+-+-+ Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKEc2cw023432 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 07:38:02 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKEc2cs023431; Thu, 20 Dec 2007 07:38:02 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKEc16P023424 for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 07:38:01 -0700 (MST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id DB2524815; Thu, 20 Dec 2007 09:37:55 -0500 (EST) From: Sam Hartman <hartmans-ietf@mit.edu> To: ietf-sasl@imc.org Subject: Channel Binding and GSS-API mechanisms Date: Thu, 20 Dec 2007 09:37:55 -0500 Message-ID: <tslprx1ig8s.fsf@mit.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Folks, a couple of odd consequences of how GS2 and channel binding interact came to me during the meeting and I want to make sure we're aware of them and agree they are OK. First, if you have a channel binding that requires confidentiality for a channel that does not provide confidentiality you cannot use it with GS2. Honestly I don't consider this a big deal because I cannot think of any reason you'd define such a channel binding. It seems like such a bad idea I'd hope that the expert would decline the registration. If we do find a channel where this is the right solutionwe'll have some work to do. The second problem is more concerning. The way GS2 handles channel bindings makes it a bit tricky for things that want to be both a SASL mechanism and a GSS-API mechanism. GS2 does not use the GSS-API binding facility. It instead uses a wrap token. So, you'll need to define a wrap token for your mechanism. However if your mechanism is going to support channel binding when it is used as a GSS-API mechanism, then it needs to also support channel bindings in the GSS-API token. This complexity isn't a over-the wire complexity issue. It does not effect round trips. If you are only implementing the SASL mechanism there is not more work to do. However it makes the spec kind of complicated. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKE9UaD021295 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 07:09:30 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBKE9UCY021294; Thu, 20 Dec 2007 07:09:30 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa.extundo.com (yxa.extundo.com [83.241.177.38]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBKE9Qtp021285 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Thu, 20 Dec 2007 07:09:28 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id lBKE9EvO004130 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Dec 2007 15:09:16 +0100 From: Simon Josefsson <simon@josefsson.org> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-sasl@imc.org Subject: Re: What am I waiting on for gs2? References: <tslir3njs54.fsf@mit.edu> <87tzn6lcw9.fsf@mocca.josefsson.org> <tslprxufnqk.fsf@mit.edu> <tslk5o04vw3.fsf@mit.edu> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:071220:ietf-sasl@imc.org::NOnOaVzLgLLvLzZg:1s+q X-Hashcash: 1:22:071220:hartmans-ietf@mit.edu::TORZDpoCi6LGgs18:Vg/Y Date: Thu, 20 Dec 2007 15:09:14 +0100 In-Reply-To: <tslk5o04vw3.fsf@mit.edu> (Sam Hartman's message of "Thu, 29 Nov 2007 15:52:28 -0500") Message-ID: <87bq8ltq45.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Sam Hartman <hartmans-ietf@mit.edu> writes: >>>>>> "Sam" == Sam Hartman <hartmans-ietf@MIT.EDU> writes: > >>>>>> "Simon" == Simon Josefsson <simon@josefsson.org> writes: > > Simon> Sam Hartman <hartmans-ietf@mit.edu> writes: > >>> I seem to have dropped the ball on gs2. What if anything am I > >>> waiting on to align with RFC 5056? > >>> > >>> Were the other issues all resolved? > > Simon> As far as I understood, the concern you raised was that GS2 > Simon> had to supply two fields for the channel binding prefix and > Simon> the channel binding data, which was not how I had > Simon> understood the channel-binding document. The > Simon> channel-binding document was changed to prefix all data > Simon> with the unique prefix, I think. Thus no change would be > Simon> needed for GS2. > > Simon, I reviewed the changes and I believe that there is one open > issue. > > The channel binding spec requires applications know about channel > binding failure. You added text passing this requirement along, but I > don't see how your protocol allows the client to detect channel > binding failure. > > We have c->m->s where m is a passive man in the middle that joins the > TLS stream. So, the channel bindings are different. C sends the > gss_wrap to s using the same qop for channel binding and non-channel > binding. > How does s indicate to c that the channel binding from s's standpoint is not the same as what it received from c? > > I think you need a bit (possibly as a flag bit xored in with the qop) > to indicate this. FYI, I had interpreted the requirement in RFC 5056: o Authentication frameworks and mechanisms that support channel binding MUST communicate channel binding failure to applications. to mean that implementations must let the local applications know about the situation. That allows them to abort the connection depending on local policy. I didn't read that to mean that protocols are required to notify the other side of the situation. The latter requirement is stronger than the former. I must admit that I don't see why the stronger requirement is a useful one. I have applied the patch below to address your concern. Updated document: http://josefsson.org/sasl-gs2/draft-ietf-sasl-gs2.txt Changes since the last version: http://josefsson.org/sasl-gs2/draft-ietf-sasl-gs2-from--09.diff.html As always, general information available from: http://josefsson.org/sasl-gs2/ I'll submit this to the IETF in a few days unless there are comments. /Simon @@ -802,11 +802,11 @@ no security layer and instead depend on the session security afforded by the bound-in channel. - In order to accomodate the requirement in [16] "Authentication + In order to accomodate the requirement in [8] "Authentication frameworks and mechanisms that support channel binding MUST communicate channel binding failure to applications" implementations - MUST provide a way to communicate channel binding failures to - applications. + assert bit 7 in the security layer bitmask (see Section 9) on + negotiation failures. Use of no SASL security layers in combination with channel binding should provide better performance than using SASL security layers @@ -1087,7 +1087,8 @@ token. o Local policy reject the attempt. For example, client and server - can't agree on qop proposal. + can't agree on qop proposal, or channel binding negotiation + failed. o (server-side) Authorization of client principal (i.e., src_name in GSS_Acecpt_sec_context) to requested authzid failed. @@ -1195,6 +1195,13 @@ "server_qop" MUST verify that it corresponds to an acceptable security level. + Whether the channel binding negotiation is successful or not may + influence the security layer selection. Bit 7 is used to signal + failed channel binding negotiation. Implementations MUST set the bit + if channel bindings were provided from the other end and a local + channel binding is absent or not equal. Implementation MUST clear + the bit otherwise. + The security layers and their corresponding bit-masks are as follows: 1 No security layer @@ -1202,6 +1209,7 @@ Sender calls GSS_Wrap with conf_flag set to FALSE 4 Confidentiality protection. Sender calls GSS_Wrap with conf_flag set to TRUE + 7 Channel binding negotiation failed. Other bit-masks may be defined in the future; bits which are not understood MUST be negotiated off. @@ -1530,6 +1530,9 @@ responses. This is a generic design critera for the GSS-API mechanisms used under GS2. + GS2 permits channel binding negotiation to fail. Implementation may + have a local policy to reject authentication attempts in this case. + When a server or client supports multiple GSS-API mechanisms, each of which has a different security strength, it is possible for an active attacker to cause a party to use the least secure mechanism Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBIIAsg2026536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Dec 2007 11:10:54 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBIIAsUs026535; Tue, 18 Dec 2007 11:10:54 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBIIApIi026524 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Tue, 18 Dec 2007 11:10:52 -0700 (MST) (envelope-from tlyu@MIT.EDU) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id lBIIAoIS027119 for <ietf-sasl@imc.org>; Tue, 18 Dec 2007 13:10:50 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id lBIIAnsN009307 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ietf-sasl@imc.org>; Tue, 18 Dec 2007 13:10:49 -0500 (EST) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id lBIIAnoD016327; Tue, 18 Dec 2007 13:10:49 -0500 (EST) To: ietf-sasl@imc.org Subject: new milestones for charter update From: Tom Yu <tlyu@MIT.EDU> Date: Tue, 18 Dec 2007 13:10:48 -0500 Message-ID: <ldvfxxzoouv.fsf@cathode-dark-space.mit.edu> Lines: 18 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Scanned-By: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> These are milestones from the proposed charter update, modified to be about four months later. In about a week, if there are no objections, I will submit the proposed charter to the IESG. Done initial I-D for DIGEST-MD5 to Historic Done WGLC I-D for DIGEST-MD5 to Historic Feb 08 initial impl. report questionnaire Feb 08 initial RFC4422bis Feb 08 initial I-D for DIGEST-MD5 successor Feb 08 DIGEST-MD5 to Historic I-D to IESG Mar 08 send impl. report questionnaire Apr 08 compile impl. questionnaire responses Jun 08 WGLC RFC4422bis Jun 08 WGLC DIGEST-MD5 successor Jul 08 discuss impl. questionnaire responses Aug 08 final impl. report Aug 08 RFC4422bis to IESG Aug 08 DIGEST-MD5 successor to IESG Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBAEEGbd002497 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 10 Dec 2007 07:14:16 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBAEEGQf002496; Mon, 10 Dec 2007 07:14:16 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa.extundo.com (yxa.extundo.com [83.241.177.38]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBAEEB08002484 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Mon, 10 Dec 2007 07:14:15 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id lBAEE2ep000312 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 10 Dec 2007 15:14:02 +0100 From: Simon Josefsson <simon@josefsson.org> To: Paul Leach <paulle@windows.microsoft.com> Cc: Alexey Melnikov <alexey.melnikov@isode.com>, "ietf-sasl\@imc.org" <ietf-sasl@imc.org> Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt References: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> <87ir3cp6w2.fsf@mocca.josefsson.org> <475AF372.90905@isode.com> <920B8B05FB49A04699188E04302FE87D48D30EE1D8@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:071210:paulle@windows.microsoft.com::4YPg4cTTSoVSBc+R:7LyY X-Hashcash: 1:22:071210:alexey.melnikov@isode.com::6ZI0M+02GQ4R11wp:K8ZF X-Hashcash: 1:22:071210:ietf-sasl@imc.org::wGmov6nrgccSrtBw:fXAg Date: Mon, 10 Dec 2007 15:14:01 +0100 In-Reply-To: <920B8B05FB49A04699188E04302FE87D48D30EE1D8@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com> (Paul Leach's message of "Sun, 9 Dec 2007 19:00:55 -0800") Message-ID: <874peqmyc6.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Paul Leach <paulle@windows.microsoft.com> writes: >>1) One of the main disadvantages with DIGEST-MD5 for me is that its >> cryptographic primitives are sub-standard by today's standard. The >> text in 7.B touches on this, but seems misplaced as 7 is about >> missing features. I suggest adding to section 1: >> >> 8. The cryptographic primitives in DIGEST-MD5 are not up to today's >> standards, in particular: >> >> A. The MD5 hash is sufficiently weak to make a brute force attack >> on DIGEST-MD5 easy with common hardware. >> >> B. Using the RC4 algorithm for the security layer without >> discarding the initial key stream output is prone to attack. >> >> > > [Paul Leach] While I certainly agree that MD5 is suspect, I'm not > aware that there are any known attacks on the usage in DIGEST. The bad > usage is: given a hash and a known input, it is possible to find other > inputs that yield the same hash. However, given an input part of which > is unknown (secret) and a hash, I wasn't aware that it is > computationally feasible to do better than to try to test all possible > secrets. Have I missed the relevant paper? That text is already in the document, so they aren't my words. However, I recall that there were a presentation at an appsarea meeting a few IETF meetings ago, where CRAM-MD5 (dictionary?) attacks were discussed and the practical consequences weren't pretty. I wasn't there and don't recall more details though, maybe someone else know of a better reference. /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBA3ebuv048145 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 9 Dec 2007 20:40:37 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBA3ebSV048144; Sun, 9 Dec 2007 20:40:37 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from fugue.toroid.org (fugue.toroid.org [85.10.196.113]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBA3eZ9J048137 for <ietf-sasl@imc.org>; Sun, 9 Dec 2007 20:40:36 -0700 (MST) (envelope-from ams@toroid.org) Received: from penne.toroid.org (localhost [127.0.0.1]) by fugue.toroid.org (Postfix) with ESMTP id 555715580A7; Mon, 10 Dec 2007 04:40:34 +0100 (CET) Received: by penne.toroid.org (Postfix, from userid 1000) id AF318ADC180; Mon, 10 Dec 2007 09:10:33 +0530 (IST) Date: Mon, 10 Dec 2007 09:10:33 +0530 From: Abhijit Menon-Sen <ams@oryx.com> To: Paul Leach <paulle@windows.microsoft.com> Cc: ietf-sasl@imc.org Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt Message-ID: <20071210034033.GA12807@toroid.org> References: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> <87ir3cp6w2.fsf@mocca.josefsson.org> <475AF372.90905@isode.com> <920B8B05FB49A04699188E04302FE87D48D30EE1D8@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <920B8B05FB49A04699188E04302FE87D48D30EE1D8@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com> Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> At 2007-12-09 19:00:55 -0800, paulle@windows.microsoft.com wrote: > > The bad usage is: given a hash and a known input, it is possible to > find other inputs that yield the same hash. As far as I know, even that is not possible. For a given input, you can construct a pair of messages that hash to the same value and have the input text as a prefix, but you cannot target a specific hash value, and neither colliding message is identical to the input (i.e. no preimage attacks are possible). -- ams Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBA30ZSI041669 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 9 Dec 2007 20:00:35 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lBA30ZP4041668; Sun, 9 Dec 2007 20:00:35 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.212]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lBA30VJG041656 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for <ietf-sasl@imc.org>; Sun, 9 Dec 2007 20:00:32 -0700 (MST) (envelope-from paulle@windows.microsoft.com) Received: from tk1-exhub-c101.redmond.corp.microsoft.com (157.56.116.111) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.1.222.3; Sun, 9 Dec 2007 19:00:31 -0800 Received: from TK5-EXMLT-W603.wingroup.windeploy.ntdev.microsoft.com (157.54.18.6) by tk1-exhub-c101.redmond.corp.microsoft.com (157.56.116.111) with Microsoft SMTP Server id 8.1.222.3; Sun, 9 Dec 2007 19:00:30 -0800 Received: from NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com ([157.54.62.198]) by TK5-EXMLT-W603.wingroup.windeploy.ntdev.microsoft.com ([157.54.18.6]) with mapi; Sun, 9 Dec 2007 19:00:30 -0800 From: Paul Leach <paulle@windows.microsoft.com> To: Alexey Melnikov <alexey.melnikov@isode.com>, Simon Josefsson <simon@josefsson.org> CC: "ietf-sasl@imc.org" <ietf-sasl@imc.org> Date: Sun, 9 Dec 2007 19:00:55 -0800 Subject: RE: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt Thread-Topic: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt Thread-Index: Acg51CEB3tt+/DnKR/27+bUSxnX62ABA9S7w Message-ID: <920B8B05FB49A04699188E04302FE87D48D30EE1D8@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com> References: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> <87ir3cp6w2.fsf@mocca.josefsson.org> <475AF372.90905@isode.com> In-Reply-To: <475AF372.90905@isode.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id lBA30WJF041658 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> While I ver -----Original Message----- From: owner-ietf-sasl@mail.imc.org [mailto:owner-ietf-sasl@mail.imc.org] On Behalf Of Alexey Melnikov Sent: Saturday, December 08, 2007 11:42 AM To: Simon Josefsson Cc: ietf-sasl@imc.org Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt >1) One of the main disadvantages with DIGEST-MD5 for me is that its > cryptographic primitives are sub-standard by today's standard. The > text in 7.B touches on this, but seems misplaced as 7 is about > missing features. I suggest adding to section 1: > > 8. The cryptographic primitives in DIGEST-MD5 are not up to today's > standards, in particular: > > A. The MD5 hash is sufficiently weak to make a brute force attack > on DIGEST-MD5 easy with common hardware. > > B. Using the RC4 algorithm for the security layer without > discarding the initial key stream output is prone to attack. > > [Paul Leach] While I certainly agree that MD5 is suspect, I'm not aware that there are any known attacks on the usage in DIGEST. The bad usage is: given a hash and a known input, it is possible to find other inputs that yield the same hash. However, given an input part of which is unknown (secret) and a hash, I wasn't aware that it is computationally feasible to do better than to try to test all possible secrets. Have I missed the relevant paper? (The above is just in the interest of accuracy -- I have no objection to moving DIGEST to historic.) Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB8JfpWx091128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 8 Dec 2007 12:41:51 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB8Jfpco091127; Sat, 8 Dec 2007 12:41:51 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB8Jfn0d091119 for <ietf-sasl@imc.org>; Sat, 8 Dec 2007 12:41:50 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [192.168.1.129] (S0106005018446c5d.vc.shawcable.net [24.85.75.120]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <R1rzeQBCHKPW@rufus.isode.com>; Sat, 8 Dec 2007 19:41:47 +0000 Message-ID: <475AF372.90905@isode.com> Date: Sat, 08 Dec 2007 19:41:38 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Simon Josefsson <simon@josefsson.org> CC: ietf-sasl@imc.org Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt References: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> <87ir3cp6w2.fsf@mocca.josefsson.org> In-Reply-To: <87ir3cp6w2.fsf@mocca.josefsson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Simon Josefsson wrote: >Tom Yu <tlyu@MIT.EDU> writes: > > >>A URL for this Internet-Draft is: >>http://www.ietf.org/internet-drafts/draft-melnikov-digest-to-historic-00.txt >> >> >I have read the document and support it. Two concerns though: > > Simon, thank you for your comments. >1) One of the main disadvantages with DIGEST-MD5 for me is that its > cryptographic primitives are sub-standard by today's standard. The > text in 7.B touches on this, but seems misplaced as 7 is about > missing features. I suggest adding to section 1: > > 8. The cryptographic primitives in DIGEST-MD5 are not up to today's > standards, in particular: > > A. The MD5 hash is sufficiently weak to make a brute force attack > on DIGEST-MD5 easy with common hardware. > > B. Using the RC4 algorithm for the security layer without > discarding the initial key stream output is prone to attack. > > I've added this. > And consequently removing the text in 7.B (which is the same as 8.A), > except that it fixes a typo and adds a leading 'The'. > > I retained "Lack of hash agility" in 7, but removed text about MD5 (which is now in 8) Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB7AqMRu046860 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Dec 2007 03:52:22 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB7AqMee046859; Fri, 7 Dec 2007 03:52:22 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa.extundo.com (yxa.extundo.com [83.241.177.38]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB7AqJho046849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Fri, 7 Dec 2007 03:52:21 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id lB7Aq9jv013510 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Dec 2007 11:52:10 +0100 X-Hashcash: 1:22:071207:ietf-sasl@imc.org::HN8jZsLHqlBWoYHQ:2UA4 From: Simon Josefsson <simon@josefsson.org> To: Tom Yu <tlyu@MIT.EDU> Cc: ietf-sasl@imc.org Subject: Re: IETF70 SASL summary References: <ldvtzmvoccc.fsf@cathode-dark-space.mit.edu> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:071207:tlyu@mit.edu::GkxpXBPp7dhodT4q:8wqu X-Hashcash: 1:22:071207:saag@mit.edu::26mgIgR8hJfRJu9+:WUPq Date: Fri, 07 Dec 2007 12:52:07 +0100 In-Reply-To: <ldvtzmvoccc.fsf@cathode-dark-space.mit.edu> (Tom Yu's message of "Thu, 06 Dec 2007 14:24:51 -0500") Message-ID: <87sl2eu3h4.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Tom Yu <tlyu@MIT.EDU> writes: > Simon Josefsson has indicated he is not interested in purusing his > password-based mech draft at this time Just to clarify: I will pursue the draft (implementing it now, the draft will change a lot), but due to lack of interest (I haven't seen any feedback), it won't include the SASL/GS2 mappings. The document will be a strict password-based GSS-API mechanism. /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB7AUAPf044941 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Dec 2007 03:30:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB7AUAqF044936; Fri, 7 Dec 2007 03:30:10 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa.extundo.com (yxa.extundo.com [83.241.177.38]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB7AU7FW044829 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Fri, 7 Dec 2007 03:30:09 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id lB7ATq8p010725 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Dec 2007 11:29:53 +0100 From: Simon Josefsson <simon@josefsson.org> To: "Frank Ellermann" <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com> Cc: ietf-sasl@imc.org Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt References: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> <87ir3cp6w2.fsf@mocca.josefsson.org> <fj9pp2$nan$1@ger.gmane.org> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:071207:ietf-sasl@imc.org::n1ykxWuJrFA429z7:21ep X-Hashcash: 1:22:071207:hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com::Dig5f4j3tJEneKUY:2xXX Date: Fri, 07 Dec 2007 12:29:51 +0100 In-Reply-To: <fj9pp2$nan$1@ger.gmane.org> (Frank Ellermann's message of "Thu, 6 Dec 2007 22:34:27 +0100") Message-ID: <877ijqvj2o.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> "Frank Ellermann" <nobody@xyzzy.claranet.de> writes: > Simon Josefsson wrote: > >> A. The MD5 hash is sufficiently weak to make a brute force attack >> on DIGEST-MD5 easy with common hardware. > > If "can identify the first three or four characters of the secret" > is still state of the art (and IFF I recall that correctly), then > "easy" might be slightly exaggerated. From my POV various _other_ > issues with DIGEST-MD5 are predominant, not its weakness. That text is already in the document. I agree it isn't the major concern, that's why I listed it last. ;) /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB74vYfR014818 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Dec 2007 21:57:34 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB74vYTe014817; Thu, 6 Dec 2007 21:57:34 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from fugue.toroid.org (fugue.toroid.org [85.10.196.113]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB74vX5Z014808 for <ietf-sasl@imc.org>; Thu, 6 Dec 2007 21:57:33 -0700 (MST) (envelope-from ams@toroid.org) Received: from penne.toroid.org (localhost [127.0.0.1]) by fugue.toroid.org (Postfix) with ESMTP id 2EB465580A7; Fri, 7 Dec 2007 05:57:31 +0100 (CET) Received: by penne.toroid.org (Postfix, from userid 1000) id 996C1ADC180; Fri, 7 Dec 2007 10:27:30 +0530 (IST) Date: Fri, 7 Dec 2007 10:27:30 +0530 From: Abhijit Menon-Sen <ams@oryx.com> To: Chris Newman <Chris.Newman@Sun.COM> Cc: Simon Josefsson <simon@josefsson.org>, Tom Yu <tlyu@MIT.EDU>, ietf-sasl@imc.org Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt Message-ID: <20071207045730.GA7654@toroid.org> References: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> <87ir3cp6w2.fsf@mocca.josefsson.org> <74E5B27F995EF0723C979D40@446E7922C82D299DB29D899F> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <74E5B27F995EF0723C979D40@446E7922C82D299DB29D899F> Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> At 2007-12-06 17:31:54 -0800, Chris.Newman@Sun.COM wrote: > > I have read this document and would support publication of version > -00. I have also reviewed the document, and sent Alexey a number of minor editorial comments in private mail. I agree with the substance of the document, however, and support its publication (with or without the addition of a qualified suggestion to use TLS+PLAIN instead). -- ams Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB72TUQu006249 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Dec 2007 19:29:30 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB72TUfw006248; Thu, 6 Dec 2007 19:29:30 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB72TT9o006242 for <ietf-sasl@imc.org>; Thu, 6 Dec 2007 19:29:30 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [130.129.17.12] (dhcp-110c.ietf70.org [130.129.17.12]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <R1iwBABCHFsm@rufus.isode.com>; Fri, 7 Dec 2007 02:29:27 +0000 Message-ID: <4758B001.4070504@isode.com> Date: Fri, 07 Dec 2007 02:29:21 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Chris Newman <Chris.Newman@sun.com> CC: Simon Josefsson <simon@josefsson.org>, ietf-sasl@imc.org Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt References: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> <87ir3cp6w2.fsf@mocca.josefsson.org> <74E5B27F995EF0723C979D40@446E7922C82D299DB29D899F> In-Reply-To: <74E5B27F995EF0723C979D40@446E7922C82D299DB29D899F> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Chris Newman wrote: > I have read this document and would support publication of version -00. > > The suggestions Simon Josefsson made are reasonable and I would also > support publication of a document including those suggestions. Agreed. > The issue of PLAIN + TLS as mandatory-to-implement does have the > subtlety that it's not appropriate as mandatory-to-implement mechanism > for all protocols although it has been used by several standards track > protocols for that purpose. Indeed. It has different properties, so I would rather not actively recommend it as a replacement. > It may make it easier to get the document published if such text is > omitted or conservative. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB71VnpE002467 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Dec 2007 18:31:49 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB71VnUt002466; Thu, 6 Dec 2007 18:31:49 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-3.sun.com (brmea-mail-3.Sun.COM [192.18.98.34]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB71VjIA002456 for <ietf-sasl@imc.org>; Thu, 6 Dec 2007 18:31:45 -0700 (MST) (envelope-from Chris.Newman@Sun.COM) Received: from fe-amer-10.sun.com ([192.18.109.80]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id lB71Viis011647 for <ietf-sasl@imc.org>; Fri, 7 Dec 2007 01:31:45 GMT Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) id <0JSN00701O6ER100@mail-amer.sun.com> (original mail from Chris.Newman@Sun.COM) for ietf-sasl@imc.org; Thu, 06 Dec 2007 18:31:44 -0700 (MST) Received: from dhcp-1288.ietf70.org (dhcp-1288.ietf70.org [130.129.18.136]) by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTPSA id <0JSN008N2O8UDG20@mail-amer.sun.com>; Thu, 06 Dec 2007 18:31:44 -0700 (MST) Date: Thu, 06 Dec 2007 17:31:54 -0800 From: Chris Newman <Chris.Newman@Sun.COM> Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt In-reply-to: <87ir3cp6w2.fsf@mocca.josefsson.org> To: Simon Josefsson <simon@josefsson.org>, Tom Yu <tlyu@MIT.EDU> Cc: ietf-sasl@imc.org Message-id: <74E5B27F995EF0723C979D40@446E7922C82D299DB29D899F> MIME-version: 1.0 X-Mailer: Mulberry/4.0.8 (Mac OS X) Content-type: text/plain; format=flowed; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline References: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> <87ir3cp6w2.fsf@mocca.josefsson.org> Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> I have read this document and would support publication of version -00. The suggestions Simon Josefsson made are reasonable and I would also support publication of a document including those suggestions. The issue of PLAIN + TLS as mandatory-to-implement does have the subtlety that it's not appropriate as mandatory-to-implement mechanism for all protocols although it has been used by several standards track protocols for that purpose. It may make it easier to get the document published if such text is omitted or conservative. - Chris Simon Josefsson wrote on 12/6/07 9:25 +0100: > Tom Yu <tlyu@MIT.EDU> writes: > >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-melnikov-digest-to-historic-00.txt > > I have read the document and support it. Two concerns though: > > 1) One of the main disadvantages with DIGEST-MD5 for me is that its > cryptographic primitives are sub-standard by today's standard. The > text in 7.B touches on this, but seems misplaced as 7 is about > missing features. I suggest adding to section 1: > > 8. The cryptographic primitives in DIGEST-MD5 are not up to today's > standards, in particular: > > A. The MD5 hash is sufficiently weak to make a brute force attack > on DIGEST-MD5 easy with common hardware. > > B. Using the RC4 algorithm for the security layer without > discarding the initial key stream output is prone to attack. > > And consequently removing the text in 7.B (which is the same as 8.A), > except that it fixes a typo and adds a leading 'The'. > > 2) There should be better recommendations on what users should use > instead. There is the following text: > > Note that despite DIGEST-MD5 seeing some deployment on the > Internet, this specification recommends obsoleting DIGEST-MD5 > because DIGEST- MD5, as implemented, is not a reasonable candidate > for further standardization and should be deprecated in favor of > one or more new password-based mechanisms currently being designed. > > I think there should be a reference to PLAIN+TLS here. I think a > recommendation to wait for some future protocol to materialize, while > best from security perspective, should be amended with a practical > recommendation. > > Thanks, > /Simon > > Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB6LWlE8082595 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Dec 2007 14:32:47 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB6LWlRs082594; Thu, 6 Dec 2007 14:32:47 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB6LWi7r082582 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Thu, 6 Dec 2007 14:32:46 -0700 (MST) (envelope-from gis-ietf-sasl-560@gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1J0OKk-00069r-AF for ietf-sasl@imc.org; Thu, 06 Dec 2007 21:32:38 +0000 Received: from c-134-89-138.hh.dial.de.ignite.net ([62.134.89.138]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-sasl@imc.org>; Thu, 06 Dec 2007 21:32:38 +0000 Received: from nobody by c-134-89-138.hh.dial.de.ignite.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-sasl@imc.org>; Thu, 06 Dec 2007 21:32:38 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: ietf-sasl@imc.org From: "Frank Ellermann" <nobody@xyzzy.claranet.de> Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt Date: Thu, 6 Dec 2007 22:34:27 +0100 Organization: <http://purl.net/xyzzy> Lines: 11 Message-ID: <fj9pp2$nan$1@ger.gmane.org> References: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> <87ir3cp6w2.fsf@mocca.josefsson.org> Reply-To: "Frank Ellermann" <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-134-89-138.hh.dial.de.ignite.net X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2800.1914 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1914 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Simon Josefsson wrote: =20 > A. The MD5 hash is sufficiently weak to make a brute force attack > on DIGEST-MD5 easy with common hardware. If "can identify the first three or four characters of the secret" is still state of the art (and IFF I recall that correctly), then "easy" might be slightly exaggerated. From my POV various _other_ issues with DIGEST-MD5 are predominant, not its weakness. Frank Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB6FTWXa048081 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Dec 2007 08:29:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB6FTWcI048080; Thu, 6 Dec 2007 08:29:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from dizzyd.com (dizzyd.com [207.210.219.225]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB6FTUv7048071 for <ietf-sasl@imc.org>; Thu, 6 Dec 2007 08:29:31 -0700 (MST) (envelope-from stpeter@stpeter.im) Received: from dialup-4.227.238.13.Dial1.Denver1.Level3.net (dialup-4.227.238.13.Dial1.Denver1.Level3.net [4.227.238.13]) (Authenticated sender: stpeter) by dizzyd.com (Postfix) with ESMTP id E65BB40075; Thu, 6 Dec 2007 08:29:24 -0700 (MST) Message-ID: <475815AA.1090004@stpeter.im> Date: Thu, 06 Dec 2007 08:30:50 -0700 From: Peter Saint-Andre <stpeter@stpeter.im> User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: Simon Josefsson <simon@josefsson.org> CC: ietf-sasl@imc.org Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt References: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> <87ir3cp6w2.fsf@mocca.josefsson.org> In-Reply-To: <87ir3cp6w2.fsf@mocca.josefsson.org> X-Enigmail-Version: 0.95.5 OpenPGP: id=7BBD0573; url=http://www.saint-andre.com/me/stpeter.asc Jabber-ID: stpeter@jabber.org Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms030203040303010208020201" Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms030203040303010208020201 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Simon Josefsson wrote: > Tom Yu <tlyu@MIT.EDU> writes: > >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-melnikov-digest-to-historic-00.txt > > I have read the document and support it. Two concerns though: <snip/> > 2) There should be better recommendations on what users should use > instead. There is the following text: > > Note that despite DIGEST-MD5 seeing some deployment on the > Internet, this specification recommends obsoleting DIGEST-MD5 > because DIGEST- MD5, as implemented, is not a reasonable candidate > for further standardization and should be deprecated in favor of > one or more new password-based mechanisms currently being designed. > > I think there should be a reference to PLAIN+TLS here. I think a > recommendation to wait for some future protocol to materialize, while > best from security perspective, should be amended with a practical > recommendation. Agreed. The DIGEST-MD5 mechanism has seen wide deployment in Jabber/XMPP systems because it is recommended in RFC 3920. In rfc3920bis we will recommend TLS + SASL PLAIN instead. Peter -- Peter Saint-Andre https://stpeter.im/ --------------ms030203040303010208020201 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIYQDCC B3AwggbZoAMCAQICAQowDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAklMMQ8wDQYDVQQI EwZJc3JhZWwxDjAMBgNVBAcTBUVpbGF0MRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMRowGAYD VQQLExFDQSBBdXRob3JpdHkgRGVwLjEpMCcGA1UEAxMgRnJlZSBTU0wgQ2VydGlmaWNhdGlv biBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEmFkbWluQHN0YXJ0Y29tLm9yZzAeFw0wNTA0 MDUxNDUyMTNaFw0xMDA0MDQxNDUyMTNaMIGvMQswCQYDVQQGEwJJTDEPMA0GA1UECBMGSXNy YWVsMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSMwIQYDVQQLExpTZWN1cmUgQ2VydGlmaWNh dGUgU2lnbmluZzEvMC0GA1UEAxMmU3RhcnRDb20gQ2xhc3MgMyBQcmltYXJ5IEVtYWlsIEZy ZWUgQ0ExITAfBgkqhkiG9w0BCQEWEmFkbWluQHN0YXJ0Y29tLm9yZzCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAPEaOcSx5ZNexwo1zJNcX48UV0UtkNtWX3qa9ZaX2VZilgIz eIrObloQV0Ma2rdgqosW9xMb5u3lBVIumt7fEwgMqqtDa3F2Qudelv93P9z2nbmn7X4GnCKA IQcW97KOSgQQHaVPHq03xGFbszx+LOKrBi/xv3bcGxtYrH+10M1nHbCRo8U2+zcJQowxoI+O U5nhko9vU25Jp8ZQ2fROH6C2TSjZuanzMTyvc5+dJiN2Hm2MhAMrqO7pUGhDKuUvnmKpAcwj eYQHU51mvlB4IId+4bTEwVoG4AMJ8RXB47VdJevN0yqeJSACyoRft4w4OpqFysR1HTT6aE6u xLg9ZC0CAwEAAaOCBBMwggQPMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgHmMB0GA1Ud DgQWBBQErNskd1NGRpZfFwFcfUJHvUgZCDCB3QYDVR0jBIHVMIHSgBQcicOWzL3+MtUNjIEx tpidjShkjaGBtqSBszCBsDELMAkGA1UEBhMCSUwxDzANBgNVBAgTBklzcmFlbDEOMAwGA1UE BxMFRWlsYXQxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xGjAYBgNVBAsTEUNBIEF1dGhvcml0 eSBEZXAuMSkwJwYDVQQDEyBGcmVlIFNTTCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEhMB8G CSqGSIb3DQEJARYSYWRtaW5Ac3RhcnRjb20ub3JnggEAMB0GA1UdEQQWMBSBEmFkbWluQHN0 YXJ0Y29tLm9yZzAdBgNVHRIEFjAUgRJhZG1pbkBzdGFydGNvbS5vcmcwYgYDVR0fBFswWTAp oCegJYYjaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL2NhLWNybC5jcmwwLKAqoCiGJmh0dHA6 Ly9jcmwuc3RhcnRjb20ub3JnL2NybC9jYS1jcmwuY3JsMIIBSgYDVR0gBIIBQTCCAT0wggE5 BgsrBgEEAYG1NwEBATCCASgwLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9y Zy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvaW50 ZXJtZWRpYXRlLnBkZjCBvQYIKwYBBQUHAgIwgbAwFBYNU3RhcnRDb20gTHRkLjADAgEBGoGX TGltaXRlZCBMaWFiaWxpdHksIHJlYWQgdGhlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRpb25z KiBvZiB0aGUgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUG9saWN5IGF2YWls YWJsZSBhdCBodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9saWN5LnBkZjARBglghkgBhvhC AQEEBAMCAAcwUAYJYIZIAYb4QgENBEMWQVN0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRl cm1lZGlhdGUgRnJlZSBTU0wgRW1haWwgQ2VydGlmaWNhdGVzMDIGCWCGSAGG+EIBBAQlFiNo dHRwOi8vY2VydC5zdGFydGNvbS5vcmcvY2EtY3JsLmNybDAzBglghkgBhvhCAQMEJhYkaHR0 cDovL2NlcnQuc3RhcnRjb20ub3JnL2NydC1jcmwuY3JsMDIGCWCGSAGG+EIBCAQlFiNodHRw Oi8vY2VydC5zdGFydGNvbS5vcmcvcG9saWN5LnBkZjANBgkqhkiG9w0BAQQFAAOBgQBc1g6H yT3ZrGb0Kq+kkqetnSXtcwffHEr6Tia2XqCqPLLzdZ8VTxVjeq/Kpg2u+8cGASIl1U45XmWa v4Vez+jSSnChRHwidmbwjCtNBFxr4C/Nkgs8wk2zNQbh+zlDKNophJT7+DVOhnIMJzdNkQW0 4STurMCFwLoyx5k1rDHQYTCCCGIwggdKoAMCAQICAwF4qjANBgkqhkiG9w0BAQUFADCBrzEL MAkGA1UEBhMCSUwxDzANBgNVBAgTBklzcmFlbDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEj MCEGA1UECxMaU2VjdXJlIENlcnRpZmljYXRlIFNpZ25pbmcxLzAtBgNVBAMTJlN0YXJ0Q29t IENsYXNzIDMgUHJpbWFyeSBFbWFpbCBGcmVlIENBMSEwHwYJKoZIhvcNAQkBFhJhZG1pbkBz dGFydGNvbS5vcmcwHhcNMDcwODIyMjExMzI3WhcNMDgwODIxMjExMzI3WjCBujELMAkGA1UE BhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMQ8wDQYDVQQHEwZEZW52ZXIxGjAYBgNVBAoTEVBl dGVyIFNhaW50LUFuZHJlMSwwKgYDVQQLEyNTdGFydENvbSBUcnVzdGVkIENlcnRpZmljYXRl IE1lbWJlcjEaMBgGA1UEAxMRUGV0ZXIgU2FpbnQtQW5kcmUxITAfBgkqhkiG9w0BCQEWEnN0 cGV0ZXJAc3RwZXRlci5pbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALC1dkqD gghuvUCkEloRDX50TTJ6Szj1BqtMpYq+An66BwkWfP07uay+jHori77776wk1/Ajk1nTSHX+ JWo+JWwVXYWBX+Zd780bB0FGShYlHGwMhd/pxX9sT4KW3D+r8sIHVbTGdudSweuNdBhqr1iE cjze75hpywMkk1OQhTkseQxI5owa9M31JOdNEX0Ja6esyhwwtqqTNC86OujXwa2wew8GTRJE 9p2I0B1VCsKuJaPatbIcf9OFiTSODb5vyoq3+lrElh6V6BXKxEfQ4D2HCSY+5UmlKdnltzvN bqxyaTYQi1YGsFzew7ST3R8P5jrCq2cvRjGrTKVojZXgPZ0CAwEAAaOCBHgwggR0MAwGA1Ud EwQFMAMCAQAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAd BgNVHQ4EFgQUl7CU2dS/alOwLIHV/Oc2RkGDYugwgd0GA1UdIwSB1TCB0oAUBKzbJHdTRkaW XxcBXH1CR71IGQihgbakgbMwgbAxCzAJBgNVBAYTAklMMQ8wDQYDVQQIEwZJc3JhZWwxDjAM BgNVBAcTBUVpbGF0MRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMRowGAYDVQQLExFDQSBBdXRo b3JpdHkgRGVwLjEpMCcGA1UEAxMgRnJlZSBTU0wgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx ITAfBgkqhkiG9w0BCQEWEmFkbWluQHN0YXJ0Y29tLm9yZ4IBCjCCAUAGA1UdIASCATcwggEz MIIBLwYLKwYBBAGBtTcBAQQwggEeMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFydGNv bS5vcmcvaW50ZXJtZWRpYXRlLnBkZjAvBggrBgEFBQcCARYjaHR0cDovL2NlcnQuc3RhcnRj b20ub3JnL3BvbGljeS5wZGYwgbMGCCsGAQUFBwICMIGmMBQWDVN0YXJ0Q29tIEx0ZC4wAwIB ARqBjUxpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0 aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gUG9saWN5IGF2YWlsYWJsZSBh dCBodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9saWN5LnBkZjBkBgNVHR8EXTBbMCygKqAo hiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvY3J0dTMtY3JsLmNybDAroCmgJ4YlaHR0cDov L2NybC5zdGFydGNvbS5vcmcvY3J0dTMtY3JsLmNybDCBhAYIKwYBBQUHAQEEeDB2MDcGCCsG AQUFBzABhitodHRwOi8vb2NzcC5zdGFydGNvbS5vcmcvc3ViL2NsYXNzMy91c2VyL2NhMDsG CCsGAQUFBzAChi9odHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc3ViLmNsYXNzMy51c2VyLmNh LmNydDARBglghkgBhvhCAQEEBAMCBaAwMQYJYIZIAYb4QgENBCQWIlN0YXJ0Q29tIFRydXN0 ZWQgRW1haWwgQ2VydGlmaWNhdGUwMgYJYIZIAYb4QgEEBCUWI2h0dHA6Ly9jZXJ0LnN0YXJ0 Y29tLm9yZy9jYS1jcmwuY3JsMDUGCWCGSAGG+EIBAwQoFiZodHRwOi8vY2VydC5zdGFydGNv bS5vcmcvY3J0dTMtY3JsLmNybDAyBglghkgBhvhCAQgEJRYjaHR0cDovL2NlcnQuc3RhcnRj b20ub3JnL3BvbGljeS5wZGYwIwYDVR0SBBwwGoYYaHR0cDovL2NlcnQuc3RhcnRjb20ub3Jn MA0GCSqGSIb3DQEBBQUAA4IBAQCdG1L0T4OT1x4X/cKsuHxgijRaZGGiVECcn5+1X7E3H54/ yDkUqWAp6MZ3hZm36pzTYYnl+5M6vldLcqFCVpD7MgH6Kmu+r6pXAjU33k1RIHnkBvQ6KGlR p0RjfaZW/2MkG07vF2QTLbx6KIhi0pa9Bg9wlqyw+C2g6FYnfmrdJLgGrxUXek8DSZNjZ/AA 75OoutrWkBtdaL2TbFiawdbGuJbSoQLHqLrNhT8f74Oec7ReOmuUTEL8hsFU0sbY/n2e9Wna 1Vzze3nZPbyPiC5F88p88gVLB9mKkOzleYefYiQw8LABz5x1MI+w0bNKNPLviJ/KnHGFEfVL z1oMHyC3MIIIYjCCB0qgAwIBAgIDAXiqMA0GCSqGSIb3DQEBBQUAMIGvMQswCQYDVQQGEwJJ TDEPMA0GA1UECBMGSXNyYWVsMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSMwIQYDVQQLExpT ZWN1cmUgQ2VydGlmaWNhdGUgU2lnbmluZzEvMC0GA1UEAxMmU3RhcnRDb20gQ2xhc3MgMyBQ cmltYXJ5IEVtYWlsIEZyZWUgQ0ExITAfBgkqhkiG9w0BCQEWEmFkbWluQHN0YXJ0Y29tLm9y ZzAeFw0wNzA4MjIyMTEzMjdaFw0wODA4MjEyMTEzMjdaMIG6MQswCQYDVQQGEwJVUzERMA8G A1UECBMIQ29sb3JhZG8xDzANBgNVBAcTBkRlbnZlcjEaMBgGA1UEChMRUGV0ZXIgU2FpbnQt QW5kcmUxLDAqBgNVBAsTI1N0YXJ0Q29tIFRydXN0ZWQgQ2VydGlmaWNhdGUgTWVtYmVyMRow GAYDVQQDExFQZXRlciBTYWludC1BbmRyZTEhMB8GCSqGSIb3DQEJARYSc3RwZXRlckBzdHBl dGVyLmltMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsLV2SoOCCG69QKQSWhEN fnRNMnpLOPUGq0ylir4CfroHCRZ8/Tu5rL6MeiuLvvvvrCTX8COTWdNIdf4laj4lbBVdhYFf 5l3vzRsHQUZKFiUcbAyF3+nFf2xPgpbcP6vywgdVtMZ251LB6410GGqvWIRyPN7vmGnLAyST U5CFOSx5DEjmjBr0zfUk500RfQlrp6zKHDC2qpM0Lzo66NfBrbB7DwZNEkT2nYjQHVUKwq4l o9q1shx/04WJNI4Nvm/Kirf6WsSWHpXoFcrER9DgPYcJJj7lSaUp2eW3O81urHJpNhCLVgaw XN7DtJPdHw/mOsKrZy9GMatMpWiNleA9nQIDAQABo4IEeDCCBHQwDAYDVR0TBAUwAwIBADAL BgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSX sJTZ1L9qU7AsgdX85zZGQYNi6DCB3QYDVR0jBIHVMIHSgBQErNskd1NGRpZfFwFcfUJHvUgZ CKGBtqSBszCBsDELMAkGA1UEBhMCSUwxDzANBgNVBAgTBklzcmFlbDEOMAwGA1UEBxMFRWls YXQxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xGjAYBgNVBAsTEUNBIEF1dGhvcml0eSBEZXAu MSkwJwYDVQQDEyBGcmVlIFNTTCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEhMB8GCSqGSIb3 DQEJARYSYWRtaW5Ac3RhcnRjb20ub3JnggEKMIIBQAYDVR0gBIIBNzCCATMwggEvBgsrBgEE AYG1NwEBBDCCAR4wNQYIKwYBBQUHAgEWKWh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9pbnRl cm1lZGlhdGUucGRmMC8GCCsGAQUFBwIBFiNodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9s aWN5LnBkZjCBswYIKwYBBQUHAgIwgaYwFBYNU3RhcnRDb20gTHRkLjADAgEBGoGNTGltaXRl ZCBMaWFiaWxpdHksIHJlYWQgdGhlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0 aGUgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly9j ZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMGQGA1UdHwRdMFswLKAqoCiGJmh0dHA6Ly9j ZXJ0LnN0YXJ0Y29tLm9yZy9jcnR1My1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0 Y29tLm9yZy9jcnR1My1jcmwuY3JsMIGEBggrBgEFBQcBAQR4MHYwNwYIKwYBBQUHMAGGK2h0 dHA6Ly9vY3NwLnN0YXJ0Y29tLm9yZy9zdWIvY2xhc3MzL3VzZXIvY2EwOwYIKwYBBQUHMAKG L2h0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9zdWIuY2xhc3MzLnVzZXIuY2EuY3J0MBEGCWCG SAGG+EIBAQQEAwIFoDAxBglghkgBhvhCAQ0EJBYiU3RhcnRDb20gVHJ1c3RlZCBFbWFpbCBD ZXJ0aWZpY2F0ZTAyBglghkgBhvhCAQQEJRYjaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL2Nh LWNybC5jcmwwNQYJYIZIAYb4QgEDBCgWJmh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9jcnR1 My1jcmwuY3JsMDIGCWCGSAGG+EIBCAQlFiNodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9s aWN5LnBkZjAjBgNVHRIEHDAahhhodHRwOi8vY2VydC5zdGFydGNvbS5vcmcwDQYJKoZIhvcN AQEFBQADggEBAJ0bUvRPg5PXHhf9wqy4fGCKNFpkYaJUQJyfn7VfsTcfnj/IORSpYCnoxneF mbfqnNNhieX7kzq+V0tyoUJWkPsyAfoqa76vqlcCNTfeTVEgeeQG9DooaVGnRGN9plb/YyQb Tu8XZBMtvHooiGLSlr0GD3CWrLD4LaDoVid+at0kuAavFRd6TwNJk2Nn8ADvk6i62taQG11o vZNsWJrB1sa4ltKhAseous2FPx/vg55ztF46a5RMQvyGwVTSxtj+fZ71adrVXPN7edk9vI+I LkXzynzyBUsH2YqQ7OV5h59iJDDwsAHPnHUwj7DRs0o08u+In8qccYUR9UvPWgwfILcxggQs MIIEKAIBATCBtzCBrzELMAkGA1UEBhMCSUwxDzANBgNVBAgTBklzcmFlbDEWMBQGA1UEChMN U3RhcnRDb20gTHRkLjEjMCEGA1UECxMaU2VjdXJlIENlcnRpZmljYXRlIFNpZ25pbmcxLzAt BgNVBAMTJlN0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBFbWFpbCBGcmVlIENBMSEwHwYJKoZI hvcNAQkBFhJhZG1pbkBzdGFydGNvbS5vcmcCAwF4qjAJBgUrDgMCGgUAoIICSTAYBgkqhkiG 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzEyMDYxNTMwNTBaMCMGCSqG SIb3DQEJBDEWBBQrh5kTitWVtD9FZUzLY4OcMgFafzBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqG SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG 9w0DAgIBKDCByAYJKwYBBAGCNxAEMYG6MIG3MIGvMQswCQYDVQQGEwJJTDEPMA0GA1UECBMG SXNyYWVsMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSMwIQYDVQQLExpTZWN1cmUgQ2VydGlm aWNhdGUgU2lnbmluZzEvMC0GA1UEAxMmU3RhcnRDb20gQ2xhc3MgMyBQcmltYXJ5IEVtYWls IEZyZWUgQ0ExITAfBgkqhkiG9w0BCQEWEmFkbWluQHN0YXJ0Y29tLm9yZwIDAXiqMIHKBgsq hkiG9w0BCRACCzGBuqCBtzCBrzELMAkGA1UEBhMCSUwxDzANBgNVBAgTBklzcmFlbDEWMBQG A1UEChMNU3RhcnRDb20gTHRkLjEjMCEGA1UECxMaU2VjdXJlIENlcnRpZmljYXRlIFNpZ25p bmcxLzAtBgNVBAMTJlN0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBFbWFpbCBGcmVlIENBMSEw HwYJKoZIhvcNAQkBFhJhZG1pbkBzdGFydGNvbS5vcmcCAwF4qjANBgkqhkiG9w0BAQEFAASC AQCMe3O8udq3hW7cS7oz3NRY7Fw4CdeE7dGRaGHyH63JR9FDhL5NjUwKO1IIZIHBDp8Yd3PJ KwBkjJTk9NHXwTabA7CLeBWJKmoghWCyRsF6/71gFGllXG8Pqd/ReOJod7PpWV1GblCnbJJj t7KrLmdF9jrn/4KH94mtJbuOeN8QCP12ZSpTLGEd/Ou+0IP5LgUFdZYMjrk/85CHOhlbTVpv mh4+FGhy0g3BI0y4An091MzcZ7cWsRrPL0XYtDUtv0q+d2D4M8rPIJddLnhFiz8jsXIIsuTw URC9KGqYw5HAyRZxikq4qwXU/+4Ynyy5dwoEDZ6pl/9d5T53eCzeg5HjAAAAAAAA --------------ms030203040303010208020201-- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB68PNh2011931 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Dec 2007 01:25:23 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB68PNJ7011930; Thu, 6 Dec 2007 01:25:23 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa.extundo.com (yxa.extundo.com [83.241.177.38]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB68PKPE011923 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Thu, 6 Dec 2007 01:25:22 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id lB68P1GP030712 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Dec 2007 09:25:07 +0100 From: Simon Josefsson <simon@josefsson.org> To: Tom Yu <tlyu@MIT.EDU> Cc: ietf-sasl@imc.org Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt In-Reply-To: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> (Tom Yu's message of "Wed, 05 Dec 2007 19:06:43 -0500") References: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:071206:ietf-sasl@imc.org::1weu8jObURC1mMJ+:129F X-Hashcash: 1:22:071206:tlyu@mit.edu::vqTzXNbRC37d1yTW:CDDD Date: Thu, 06 Dec 2007 09:25:01 +0100 Message-ID: <87ir3cp6w2.fsf@mocca.josefsson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Tom Yu <tlyu@MIT.EDU> writes: > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-melnikov-digest-to-historic-00.txt I have read the document and support it. Two concerns though: 1) One of the main disadvantages with DIGEST-MD5 for me is that its cryptographic primitives are sub-standard by today's standard. The text in 7.B touches on this, but seems misplaced as 7 is about missing features. I suggest adding to section 1: 8. The cryptographic primitives in DIGEST-MD5 are not up to today's standards, in particular: A. The MD5 hash is sufficiently weak to make a brute force attack on DIGEST-MD5 easy with common hardware. B. Using the RC4 algorithm for the security layer without discarding the initial key stream output is prone to attack. And consequently removing the text in 7.B (which is the same as 8.A), except that it fixes a typo and adds a leading 'The'. 2) There should be better recommendations on what users should use instead. There is the following text: Note that despite DIGEST-MD5 seeing some deployment on the Internet, this specification recommends obsoleting DIGEST-MD5 because DIGEST- MD5, as implemented, is not a reasonable candidate for further standardization and should be deprecated in favor of one or more new password-based mechanisms currently being designed. I think there should be a reference to PLAIN+TLS here. I think a recommendation to wait for some future protocol to materialize, while best from security perspective, should be amended with a practical recommendation. Thanks, /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB606o3p077937 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 5 Dec 2007 17:06:50 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB606o2d077936; Wed, 5 Dec 2007 17:06:50 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB606mA5077927 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Wed, 5 Dec 2007 17:06:49 -0700 (MST) (envelope-from tlyu@MIT.EDU) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id lB606ltc007159 for <ietf-sasl@imc.org>; Wed, 5 Dec 2007 19:06:47 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id lB606kGt016158 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ietf-sasl@imc.org>; Wed, 5 Dec 2007 19:06:47 -0500 (EST) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id lB606k6i026663; Wed, 5 Dec 2007 19:06:46 -0500 (EST) To: ietf-sasl@imc.org Subject: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt From: Tom Yu <tlyu@MIT.EDU> Date: Wed, 05 Dec 2007 19:06:43 -0500 Message-ID: <ldvir3cu1nw.fsf@cathode-dark-space.mit.edu> Lines: 18 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Scanned-By: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This message commences a Working Group Last Call period for the following document: Title : Moving DIGEST-MD5 to Historic Author(s) : A. Melnikov Filename : draft-melnikov-digest-to-historic-00.txt Pages : 7 Date : 2007-09-08 A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-melnikov-digest-to-historic-00.txt This Last Call will expire on Friday, December 21, 2007. Please review this document and address feedback to the Working Group mailing list. Tom Yu, SASL co-chair -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iD8DBQFHVz0WSO8fWy4vZo4RAoF6AKCVuXx5JZPX+mgvrjgL2UTdmTFb3wCdHXOg 9wcjlHuL2gUVAHBvMnhUd4k= =kz4u -----END PGP SIGNATURE----- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB5JBYuN050026 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 5 Dec 2007 12:11:34 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB5JBYe5050025; Wed, 5 Dec 2007 12:11:34 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB5JBWxC050016 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Wed, 5 Dec 2007 12:11:33 -0700 (MST) (envelope-from tlyu@MIT.EDU) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id lB5JBRCb005661 for <ietf-sasl@imc.org>; Wed, 5 Dec 2007 14:11:31 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id lB5IwYjt029762 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ietf-sasl@imc.org>; Wed, 5 Dec 2007 13:58:34 -0500 (EST) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id lB5IwYtN025679; Wed, 5 Dec 2007 13:58:34 -0500 (EST) To: ietf-sasl@imc.org Subject: updated SCRAM document From: Tom Yu <tlyu@MIT.EDU> Date: Wed, 05 Dec 2007 13:58:33 -0500 Message-ID: <ldvodd5vuhy.fsf@cathode-dark-space.mit.edu> Lines: 848 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Scanned-By: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --=-=-= Abhijit submitted a new revision of SCRAM but it hasn't made it to the I-D repository yet. I've attached it below. (Note that the actual I-D revision will be -05, not -06 as in the below text.) --=-=-= Content-Disposition: attachment; filename=draft-newman-auth-scram-06.txt Network Working Group Abhijit Menon-Sen Internet-Draft Oryx Mail Systems GmbH Intended Status: Proposed Standard Chris Newman Expires: May 1, 2008 Sun Microsystems December 2007 Salted Challenge Response Authentication Mechanism (SCRAM) draft-newman-auth-scram-06.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet- Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft expires in May 2008. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract The secure authentication mechanism most widely deployed and used by Internet application protocols is the transmission of clear-text passwords over a channel protected by Transport Layer Security (TLS). There are some significant security concerns with that mechanism, which could be addressed by the use of a challenge Menon-Sen and Newman Expires May 2008 [Page 1] Internet-draft December 2007 response authentication mechanism protected by TLS. Unfortunately, the challenge response mechanisms presently on the standards track all fail to meet requirements necessary for widespread deployment, and have had success only in limited use. This specification describes the Salted Challenge Response Authentication Mechanism (SCRAM), which addresses the security concerns and meets the deployability requirements. When used in combination with TLS or an equivalent security layer, this mechanism could improve the status-quo for application protocol authentication and provide a suitable choice for a mandatory-to-implement mechanism for future application protocol standards. 1. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Formal syntax is defined by [RFC4234] including the core rules defined in Appendix B of [RFC4234]. Example lines prefaced by "C:" are sent by the client and ones prefaced by "S:" by the server. If a single "C:" or "S:" label applies to multiple lines, then the line breaks between those lines are for editorial clarity only, and are not part of the actual protocol exchange. 1.1. Terminology This document uses several terms defined in [RFC4949] ("Internet Security Glossary") including the following: authentication, authentication exchange, authentication information, brute force, challenge-response, cryptographic hash function, dictionary attack, eavesdropping, hash result, keyed hash, man-in-the-middle, nonce, one-way encryption function, password, replay attack and salt. Readers not familiar with these terms should use that glossary as a reference. Some clarifications and additional definitions follow: - Authentication information: Information used to verify an identity claimed by a SCRAM client. The authentication information for a SCRAM identity consists of salt and the "StoredKey" and "ServerKey" (as defined in the algorithm overview) for each supported cryptographic hash function. Menon-Sen and Newman Expires May 2008 [Page 2] Internet-draft December 2007 - Authentication database: The database used to look up the authentication information associated with a particular identity. For application protocols, LDAPv3 (see [RFC4510]) is frequently used as the authentication database. For network-level protocols such as PPP or 802.11x, the use of RADIUS is more common. - Base64: An encoding mechanism defined in [RFC4648] which converts an octet string input to a textual output string which can be easily displayed to a human. The use of base64 in SCRAM is restricted to the canonical form with no whitespace. - Octet: An 8-bit byte. - Octet string: A sequence of 8-bit bytes. - Salt: A random octet string that is combined with a password before applying a one-way encryption function. This value is used to protect passwords that are stored in an authentication database. 1.2. Notation The pseudocode description of the algorithm uses the following notations: - ":=": The variable on the left hand side represents the octet string resulting from the expression on the right hand side. - "+": Octet string concatenation. - "[ ]": A portion of an expression enclosed in "[" and "]" may not be included in the result under some circumstances. See the associated text for a description of those circumstances. - HMAC(key, str): Apply the HMAC keyed hash algorithm (defined in [RFC2104]) using the octet string represented by "key" as the key and the octet string "str" as the input string. The size of the result is the hash result size for the hash function in use. For example, it is 20 octets for SHA-1 (see [RFC3174]). - H(str): Apply the cryptographic hash function to the octet string "str", producing an octet string as a result. The size of the result depends on the hash result size for the hash function in use. - Hi(str): Apply the cryptographic hash function to the octet string "str", then repeat the application on the output string for a Menon-Sen and Newman Expires May 2008 [Page 3] Internet-draft December 2007 number of iterations equal to the integer i minus 1. - XOR: Apply the exclusive-or operation to combine the octet string on the left of this operator with the octet string on the right of this operator. The length of the output and each of the two inputs will be the same for this use. 2. Introduction This specification describes the Salted Challenge Response Authentication Mechanism (SCRAM) which addresses the requirements necessary to deploy a challenge-response mechanism more widely than past attempts. When used in combination with Transport Layer Security (TLS, see [RFC4346]) or an equivalent security layer, this mechanism could improve the status-quo for application protocol authentication and provide a suitable choice for a mandatory-to- implement mechanism for future application protocol standards. For simplicity, this mechanism does not presently include negotiation of a security layer. It is intended to be used with an external security layer such as that provided by TLS or SSH. SCRAM provides the following protocol features: - The authentication information stored in the authentication database is not sufficient by itself to impersonate the client. The information is salted to prevent a pre-stored dictionary attack if the database is stolen. - The server does not gain the ability to impersonate the client to other servers (with an exception for server-authorized proxies). - The mechanism permits the use of a server-authorized proxy without requiring that proxy to have super-user rights with the back-end server. - A standard attribute is defined to enable storage of the authentication information in LDAPv3 (see [RFC4510]). - Bindings to several authentication frameworks are provided so the mechanism is not limited to a small subset of protocols. - Both the client and server can be authenticated by the protocol. - The cryptographic hash function used to authenticate can be upgraded gracefully without breaking backwards compatibility or risking downgrade attacks. Menon-Sen and Newman Expires May 2008 [Page 4] Internet-draft December 2007 For an in-depth discussion of why other challenge response mechanisms are not considered sufficient, see appendix A. For more information about the motivations behind the design of this mechanism, see appendix B. Comments regarding this draft may be sent either to the ietf- sasl@imc.org mailing list or to the authors. 3. SCRAM Algorithm Overview To begin with, the client is in possession of a username and password. It sends the username to the server, which retrieves the corresponding authentication information, i.e. a salt, StoredKey, and ServerKey. The server sends the salt and an iteration count to the client, which then computes the following values and sends a ClientProof to the server: SaltedPassword := Hi(HMAC(password, salt)) ClientKey := H(SaltedPassword) StoredKey := H(ClientKey) AuthMessage := client-first-message + "," + server-first-message + "," + final-client-message-without-proof ClientSignature := HMAC(StoredKey, AuthMessage) ClientProof := ClientKey XOR ClientSignature ServerKey := HMAC(SaltedPassword, salt) ServerSignature := HMAC(ServerKey, AuthMessage) The server authenticates the client by computing the ClientSignature, exclusive-ORing that with the ClientProof to recover the ClientKey and verifying the correctness of the ClientKey by applying the hash function and comparing the result to the StoredKey. If the ClientKey is correct, this proves that the client has access to the user's password. Similarly, the client authenticates the server by computing the ServerSignature and comparing it to the value sent by the server. If the two are equal, it proves that the server had access to the user's SaltedPassword. The AuthMessage is computed by concatenating messages from the authentication exchange. The format of these messages is defined in the Formal Syntax section. Menon-Sen and Newman Expires May 2008 [Page 5] Internet-draft December 2007 4. SCRAM Authentication Exchange SCRAM is a text protocol where the client and server exchange messages containing one or more attribute-value pairs separated by commas. Each attribute has a one-letter name. The messages and their attributes are described in section 4.1, and defined in the Formal Syntax section. This is a simple example of a SCRAM authentication exchange: C: n=Chris Newman,h=md5,r=ClientNonce S: r=ClientNonceServerNonce,h=md5,s=PxR/wv+epq,i=128 C: r=ClientNonceServerNonce,p=WxPv/siO5l+qxN4 S: v=WxPv/siO5l+qxN4 First, the client sends a message containing the username, a list of the hash functions it supports, and a random, unique nonce. In response, the server sends its list of supported hash functions, an iteration count i, the user's salt, and appends its own nonce to the client-specified one. The client then responds with the same nonce and a ClientProof computed as explained earlier. The server verifies the proof and responds with a ServerSignature, concluding the authentication exchange. 4.1 SCRAM attributes This section describes the permissible attributes, their use, and the format of their values. - a: This optional attribute specifies an authorization identity. A client may include it in its first message to the server if it wants to authenticate as one user, but subsequently act as a different user. This is typically used by an administrator to perform some management task on behalf of another user, or by a proxy in some situations (see appendix A for more details). If this attribute is omitted (as it normally would be), or specified with an empty value, the authorization identity is assumed to be the same as the username specified with the (required) "n" attribute. The server always authenticates the user specified by the "n" attribute. If the "a" attribute specifies a different user, the server associates that identity with the connection after successful authentication and authorization checks. The syntax of this field is the same as that of the "n" field with Menon-Sen and Newman Expires May 2008 [Page 6] Internet-draft December 2007 respect to quoting of '=' and ','. - n: This attribute specifies the name of the user whose password is used for authentication. A client must include it in its first message to the server. If the "a" attribute is not specified (which would normally be the case), this username is also the identity which will be associated with the connection subsequent to authentication and authorization. The characters ',' or '=' in usernames are sent as '=2C' and '=3D' respectively. If the server receives a username which contains '=' not followed by either '2C' or '3D', then the server MUST fail the authentication. - h: This attribute is a colon-separated list of supported hash function names, as defined in the IANA "Hash Function Textual Names" registry. - r: This attribute specifies a sequence of random printable characters excluding ',' which forms the nonce used as input to the hash function. No quoting is applied to this string (unless the binding of SCRAM to a particular protocol states otherwise). As described earlier, the client supplies an initial value in its first message, and the server augments that value with its own nonce in its first response. It is important that this be value different for each authentication. The client must verify that the initial part of the nonce used in subsequent messages is the same as the nonce it initially specified. - c: This optional attribute specifies base64-encoded channel- binding data. It may be sent by either the client or the server. If specified, the authentication MUST fail unless the value is successfully verified. Whether this attribute is included, and the meaning and contents of the channel-binding data depends on the external security layer in use. This is necessary to detect a man-in-the-middle attack on the security layer. - s: This attribute specifies the base64-encoded salt used by the server for this user. It is sent by the server in its first message to the client. - i: This attribute specifies an iteration count for the selected hash function, and must be sent by the server along with the user's salt. - p: This attribute specifies a base64-encoded ClientProof. The client computes this value as described in the overview and sends it to the server. Menon-Sen and Newman Expires May 2008 [Page 7] Internet-draft December 2007 - v: This attribute specifies a base64-encoded ServerSignature. It is sent by the server in its final message, and may be used by the client to verify that the server has access to the user's authentication information. This value is computed as explained in the overview. 5. Hash functions SCRAM can use hash functions defined by the IANA "Hash Function Textual Names" registry. For interoperability, all SCRAM clients and servers MUST implement the MD5 hash function as defined in [RFC1321]. Servers SHOULD announce a hash iteration-count of at least 128. 6. Formal Syntax The following syntax specification uses the Augmented Backus-Naur Form (ABNF) notation as specified in [RFC4234]. generic-message = attr-val *("," attr-val) attr-val = ALPHA "=" value value = *(value-char) value-safe-char = %20-2B / %2D-3C / %3E-7E / UTF8-2 / UTF8-2 / UTF-3 / UTF8-4 ;; UTF8-char except CTL, "=", and ",". value-char = value-safe-char / "=" base64-char = ALPHA / DIGIT / "/" / "+" base64-4 = 4*4(base64-char) base64-3 = 3*3(base64-char) "=" base64-2 = 2*2(base64-char) "==" base64 = *(base64-4) [base64-3 / base64-2] saslname = 1*(value-safe-char / "=2C" / "=3D") ;; Conforms to <value> ;; Usernames are prepared using SASLPrep. Menon-Sen and Newman Expires May 2008 [Page 8] Internet-draft December 2007 authzid = "a=" saslname username = "n=" saslname channel-binding = "c=" base64 proof = "p=" base64 nonce = "r=" value [value] ;; Second part provided by server. salt = "s=" base64 verifier = "v=" base64 hash-list = "h=" hash-name *(":" hash-name) hash-name = value ;; Hash Function Textual Name, from ;; http://www.iana.org/assignments/hash- function-text-names iteration-count = "i=" 1*DIGIT client-first-message = [authzid ","] username "," hash-list "," nonce server-first-message = nonce "," hash-list "," salt "," iteration-count client-final-message-without-proof = nonce "," channel-binding client-final-message = client-final-message-without-proof "," proof server-final-message = verifier 7. Security Considerations If the authentication exchange is performed without a strong security layer, then a passive eavesdropper can gain sufficient information to mount an offline dictionary or brute-force attack which can be used to recover the user's password. The amount of time necessary for this attack depends on the cryptographic hash function selected, the strength of the password and the iteration count Menon-Sen and Newman Expires May 2008 [Page 9] Internet-draft December 2007 supplied by the server. An external security layer with strong encryption will prevent this attack. If the external security layer used to protect the SCRAM exchange uses an anonymous key exchange, then the SCRAM channel binding mechanism can be used to detect a man-in-the-middle attack on the security layer and cause the authentication to fail as a result. However, the man-in-the-middle attacker will have gained sufficient information to mount an offline dictionary or brute-force attack. For this reason, SCRAM includes the ability to increase the iteration count over time. If the authentication information is stolen from the authentication database, then an offline dictionary or brute-force attack can be used to recover the user's password. The use of salt mitigates this attack somewhat by requiring a separate attack on each password. Authentication mechanisms which protect against this attack are available (e.g., the EKE class of mechanisms), but the patent situation is presently unclear. If an attacker obtains the authentication information from the authentication repository and either eavesdrops on one authentication exchange or impersonates a server, the attacker gains the ability to impersonate that user to all servers providing SCRAM access using the same password and salt. For this reason, it is important to use randomly-generated salt values. If the server detects (from the value of the client-specified "h" attribute) that both endpoints support a stronger hash function that the one the client actually chooses to use, then it SHOULD treat this as a downgrade attack and reject the authentication attempt. 8. IANA considerations (Hash function names registry, SASL mechanism registration.) 9. Acknowedgements The authors would like to thank Alexey Melnikov and Dave Cridland for their contributions to this document. Menon-Sen and Newman Expires May 2008 [Page 10] Internet-draft December 2007 10. Normative References [RFC4648] Josefsson, "The Base16, Base32, and Base64 Data Encodings", RFC 4648, SJD, October 2006. [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992. [RFC2104] Krawczyk, Bellare, Canetti, "HMAC: Keyed-Hashing for Message Authentication", IBM, February 1997. [RFC2119] Bradner, "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, Harvard University, March 1997. [RFC3174] Eastlake, Jones, "US Secure Hash Algorithm 1 (SHA1)", RFC 3174, Motorola, September 2001 [RFC4234] Crocker, Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 4234, Brandenburg Internetworking, Demon Internet Ltd, October 2005. [RFC4346] Dierks, Rescorla, "The Transport Layer Security (TLS) Protocol, Version 1.1", RFC 4346, Brandenburg Internetworking, April 2006. [RFC4422] Melnikov, Zeilenga, "Simple Authentication and Security Layer (SASL)", RFC 4422, Isode Limited, June 2006. 11. Informative References [RFC1939] Myers, Rose, "Post Office Protocol - Version 3", RFC 1939, Carnegie Mellon, May 1996. [RFC2195] Klensin, Catoe, Krumviede, "IMAP/POP AUTHorize Extension for Simple Challenge/Response", RFC 2195, MCI, September 1997. [RFC2202] Cheng, Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1", RFC 2202, IBM, September 1997 [RFC2289] Haller, Metz, Nesser, Straw, "A One-Time Password System", RFC 2289, STD0061, February 1998. [RFC4949] Shirey, "Internet Security Glossary, Version 2", RFC 4949, FYI 0036, August 2007. Menon-Sen and Newman Expires May 2008 [Page 11] Internet-draft December 2007 [RFC4086] Eastlake, Schiller, Crocker, "Randomness Requirements for Security", RFC 4086, BCP 0106, Motorola Laboratories, June 2005. [RFC4120] Neuman, Yo, Hartman, Raebun, "The Kerberos Network Authentication Service (V5)", RFC 4120, USC-ISI, July 2005. [RFC4510] Zeilenga, "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006. [DIGEST-MD5] Melnikov, "Using Digest Authentication as a SASL Mechanism", draft-ietf-sasl-rfc2831bis-12.txt, Isode Ltd., March 2007 12. Authors' Addresses Abhijit Menon-Sen Oryx Mail Systems GmbH Email: ams@oryx.com Chris Newman Sun Microsystems 1050 Lakes Drive West Covina, CA 91790 USA Email: chris.newman@sun.com Appendix A: Other Authentication Mechanisms The DIGEST-MD5 mechanism has proved to be too complex to implement and test, and thus has poor interoperability. The security layer is often not implemented, and almost never used; everyone uses TLS instead. The PLAIN SASL mechanism allows a malicious server or eavesdropper to impersonate the authenticating user to any other server for which the user has the same password. It also sends the password in the clear over the network, unless TLS is used. Server authentication is not supported. (To be completed.) Menon-Sen and Newman Expires May 2008 [Page 12] Internet-draft December 2007 Appendix B: Design Motivations (To be written.) Appendix C: SCRAM Examples (To be written.) Appendix D: SCRAM Interoperability Testing (To be written.) Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE Menon-Sen and Newman Expires May 2008 [Page 13] Internet-draft December 2007 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Menon-Sen and Newman Expires May 2008 [Page 14] Internet-draft December 2007 (RFC Editor: Please delete everything after this point) Open Issues - The appendices need to be written. - Should the server send a base64-encoded ServerSignature for the value of the "v" attribute, or should it compute a ServerProof the way the client computes a ClientProof? - What about this LDAP attribute to store authentication information? - It is entirely unclear to me how best to handle channel bindings. Should the channel binding data be sent directly at all? - It's not clear from the document that the hash function to use for a particular authentication exchange is selected by the client before the exchange begins. - Should the title include the acronym SASL to help the greppers? Changes since -04 - Update Base64 and Security Glossary references. - Add Formal Syntax section. - Don't bother with "v=". - Make MD5 mandatory to implement. Suggest i=128. Changes since -03 - Seven years have passed, in which it became clear that DIGEST-MD5 suffered from unacceptably bad interoperability, so SCRAM-MD5 is now back from the dead. - Be hash agnostic, so MD5 can be replaced more easily. - General simplification. Menon-Sen and Newman Expires May 2008 [Page 15] --=-=-=-- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB5HUlc7040263 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 5 Dec 2007 10:30:47 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB5HUlgF040262; Wed, 5 Dec 2007 10:30:47 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB5HUkfJ040254 for <ietf-sasl@imc.org>; Wed, 5 Dec 2007 10:30:47 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [130.129.17.12] (dhcp-110c.ietf70.org [130.129.17.12]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <R1bgQwAXzDL1@rufus.isode.com>; Wed, 5 Dec 2007 17:30:45 +0000 Message-ID: <4756E041.7060005@isode.com> Date: Wed, 05 Dec 2007 17:30:41 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Tom Yu <tlyu@MIT.EDU> CC: ietf-sasl@imc.org Subject: Re: charter update: revised milestones? References: <ldv1wa1zig7.fsf@cathode-dark-space.mit.edu> In-Reply-To: <ldv1wa1zig7.fsf@cathode-dark-space.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Tom Yu wrote: >Milestones in my most recent charter proposal were: > >Done initial document moving DIGEST-MD5 to Historic >Sep 2007 WGLC document moving DIGEST-MD5 to Historic >Oct 2007 initial implementation report questionnaire >Oct 2007 initial RFC4422bis correcting references, etc. >Oct 2007 initial document for DIGEST-MD5 successor >Nov 2007 DIGEST-MD5 to Historic to IESG >Jan 2008 send out implementation report questionnaire >Feb 2008 compile implementation report questionnaire responses >Feb 2008 WGLC RFC4422bis >Feb 2008 WGLC DIGEST-MD5 successor >Mar 2008 discuss implementation report questionnaire results >Apr 2008 final implementation report >Apr 2008 RFC4422bis to IESG >Apr 2008 DIGEST-MD5 successor to IESG > >Given that we've slipped on a number of these so far, I suggest that >we move them by three or four months. Given the holiday season, I >would prefer adding four months rather than three, but I am open to >opinions either way. Which would people prefer? > I think the "digest to historic" can be WGLC-ed right away. Otherwise I don't have any preferences between 3 and 4 months. > Or do people think >that adding 3 or 4 months across the board is not appropriate? We can >discuss this in detail during the WG session if needed. > > Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB57rDWB089139 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 5 Dec 2007 00:53:13 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id lB57rDPV089138; Wed, 5 Dec 2007 00:53:13 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id lB57rBld089130 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Wed, 5 Dec 2007 00:53:12 -0700 (MST) (envelope-from tlyu@MIT.EDU) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id lB57qvks007056 for <ietf-sasl@imc.org>; Wed, 5 Dec 2007 02:53:07 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id lB57quZF021243 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ietf-sasl@imc.org>; Wed, 5 Dec 2007 02:52:57 -0500 (EST) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id lB57quBC022358; Wed, 5 Dec 2007 02:52:56 -0500 (EST) To: ietf-sasl@imc.org Subject: charter update: revised milestones? From: Tom Yu <tlyu@MIT.EDU> Date: Wed, 05 Dec 2007 02:52:56 -0500 Message-ID: <ldv1wa1zig7.fsf@cathode-dark-space.mit.edu> Lines: 25 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Scanned-By: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Milestones in my most recent charter proposal were: Done initial document moving DIGEST-MD5 to Historic Sep 2007 WGLC document moving DIGEST-MD5 to Historic Oct 2007 initial implementation report questionnaire Oct 2007 initial RFC4422bis correcting references, etc. Oct 2007 initial document for DIGEST-MD5 successor Nov 2007 DIGEST-MD5 to Historic to IESG Jan 2008 send out implementation report questionnaire Feb 2008 compile implementation report questionnaire responses Feb 2008 WGLC RFC4422bis Feb 2008 WGLC DIGEST-MD5 successor Mar 2008 discuss implementation report questionnaire results Apr 2008 final implementation report Apr 2008 RFC4422bis to IESG Apr 2008 DIGEST-MD5 successor to IESG Given that we've slipped on a number of these so far, I suggest that we move them by three or four months. Given the holiday season, I would prefer adding four months rather than three, but I am open to opinions either way. Which would people prefer? Or do people think that adding 3 or 4 months across the board is not appropriate? We can discuss this in detail during the WG session if needed. ---Tom
- new milestones for charter update Tom Yu
- Re: new milestones for charter update Alexey Melnikov
- Re: new milestones for charter update Tom Yu
- Digest-MD5 to Historic Frank Ellermann
- Re: Digest-MD5 to Historic Frank Ellermann
- Re: Digest-MD5 to Historic Frank Ellermann
- Re: Digest-MD5 to Historic Alexey Melnikov
- Re: Digest-MD5 to Historic Frank Ellermann