Re: [secdir] Secdir review of draft-sheffer-emu-eap-eke-07

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Tue, 07 September 2010 21:56 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C660F3A6862 for <secdir@core3.amsl.com>; Tue, 7 Sep 2010 14:56:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.399
X-Spam-Level:
X-Spam-Status: No, score=-9.399 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_33=0.6, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CPqd31oPao-d for <secdir@core3.amsl.com>; Tue, 7 Sep 2010 14:56:44 -0700 (PDT)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 899523A6867 for <secdir@ietf.org>; Tue, 7 Sep 2010 14:56:44 -0700 (PDT)
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAM9RhkyrRN+J/2dsb2JhbAChCXGlUJtjgw6CLwSEQ4hT
X-IronPort-AV: E=Sophos;i="4.56,330,1280707200"; d="scan'208";a="251486135"
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-5.cisco.com with ESMTP; 07 Sep 2010 21:57:12 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o87LvC2G029621; Tue, 7 Sep 2010 21:57:12 GMT
Received: from xmb-sjc-23e.amer.cisco.com ([128.107.191.15]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 7 Sep 2010 14:57:12 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 7 Sep 2010 14:57:07 -0700
Message-ID: <EE0C2F9E065E634B84FC3BE36CF8A4B2049FFA60@xmb-sjc-23e.amer.cisco.com>
In-Reply-To: <bb342615fec1b6c2c64a591233d00b85.squirrel@www.trepanning.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [secdir] Secdir review of draft-sheffer-emu-eap-eke-07
Thread-Index: ActO0znpbGe1dAZTTRKhKyxDnjB2IwAAu7XA
X-Priority: 5
Priority: Non-Urgent
Importance: low
References: <3F897C02-D8FE-4D36-9397-2018BDD23927@cisco.com> <4C85295D.5010209@gmail.com> <bb342615fec1b6c2c64a591233d00b85.squirrel@www.trepanning.net>
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Dan Harkins" <dharkins@lounge.org>, "Yaron Sheffer" <yaronf.ietf@gmail.com>
X-OriginalArrivalTime: 07 Sep 2010 21:57:12.0746 (UTC) FILETIME=[A079C0A0:01CB4ED7]
X-Mailman-Approved-At: Wed, 08 Sep 2010 08:01:21 -0700
Cc: Tim Polk <tim.polk@nist.gov>, draft-sheffer-emu-eap-eke@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-sheffer-emu-eap-eke-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2010 21:56:45 -0000

> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@lounge.org]
> Sent: Tuesday, September 07, 2010 5:25 PM
> To: Yaron Sheffer
> Cc: Brian Weis (bew); Dan Harkins; secdir@ietf.org; draft-sheffer-emu-
> eap-eke@tools.ietf.org; Russ Housley; Tim Polk
> Subject: Re: [secdir] Secdir review of draft-sheffer-emu-eap-eke-07
> 
> 
>   Hi Yaron,
> 
>   Actually what I was suggesting was to use the identities as the
> "salt" to the extraction part of HKDF. So it would look like this:
> 
>        PRF := mac(ID_s | ID_p, P)
>        KEY := mac+(PRF, "some application-specific string")
>        DHComponent_S := Encr(KEY, y_s)
> 
> This may impact your desire to use a block cipher as "mac" but you can
> do the same "truncation or zero-padding" trick you suggest below.

Truncation would be a bad idea; that means part (or all) of ID_p does
not contribute to the value of PRF.  Now, I don't know if this is a
weakness; on the other hand, if we were assured it wasn't a weakness,
why are we including ID_p at all?

> 
>   Also, I'm not sure what value there is to storing the the mac'd
> password since that value takes the place of the password to become
> the authentication credential (EKE is not an asymmetric protocol
> that can protect against server compromise by storing a transform
> of the password) but whatever value you find in that practice can
> only be enhanced by salting the value with the identities thereby
> ensuring that users with identical passwords will not have identical
> stored credentials.

However, if they were to store the KEY values, then identical passwords
will already not have identical credentials.  Would it work out better
if we suggested that more strongly?

> 
>   Dan.
> 
> On Mon, September 6, 2010 10:48 am, Yaron Sheffer wrote:
> > Hi Brian, Dan,
> >
> > thanks for both of your reviews.
> >
> > While we do not see additional value in including the identities in
> the
> > password derivation (given that they are later bound into the shared
> > secret), we don't have any problem with it either.
> >
> > We are fine with making the key derivation function more standard.
We
> > propose the following change to
> > http://tools.ietf.org/id/draft-sheffer-emu-eap-eke-08.html#commit-
> request.
> > We define a KDF which is modeled on RFC 5869, and in fact becomes
> HKDF
> > when the MAC is an HMAC (note that the draft does *not* constrain
MAC
> > functions to be an HMAC construction):
> >
> >       PRF := mac("\0"+, P)
> >       KEY := mac+(PRF, ID_s | ID_p)
> >       DHComponent_S := Encr(KEY, y_s)
> >
> > PRF is truncated or zero-padded if necessary when used to derive
KEY.
> > Neither is needed when using an HMAC function for the MAC.
> >
> > The protocol peers should store the MAC'ed password, instead of a
> > plaintext password. The peers have a choice of storing the output of
> the
> > first application of MAC, or that of the second application (i.e.
> salted
> > by the identities). The security benefits of the latter should be
> > weighed against the operational difficulty associated with changing
> > either of the identities.
> >
> > BTW, we have changed the "kmac" terminology into "mac", per your
> comments.
> >
> > The operator mac+ will be redefined as:
> >
> > mac+(key, string) = T1 | T2 ...
> >
> > where each Ti is an application of the keyed MAC with a fixed key:
> >
> > T1 = mac(key, string | 0x01)
> > T2 = mac(key, T1 | string | 0x02)
> > T3 = mac(key, T2 | string | 0x03)
> >
> > Please let us know if this change resolves your concerns.
> >
> > Thanks,
> > 	Yaron
> >
> > On 08/17/2010 06:52 AM, Brian Weis wrote:
> >> I have reviewed this document as part of the security directorate's
> >> ongoing effort to review all IETF documents being processed by the
> IESG.
> >> These comments were written primarily for the benefit of the
> security
> >> area directors. Document editors and WG chairs should treat these
> >> comments just like any other review comments.
> >>
> >> I previously reviewed -06 of this I-D and made a number of
> suggestions.
> >> The current version has addressed those as well as other last call
> >> comments. I have just one concern and one comment regarding the
> changes
> >> regarding encrypting DHComponent_S and DHComponent_P in on-the-wire
> >> payloads. This is described in Sections 5.1, 5.2, and 6.1. I'm
going
> to
> >> discuss DHComponent_S, but DHComponent_P is similarly changed.
> >>
> >> 1. In -06, DHComponent_S was protected with an IKEv2-style prf+():
> >> DHComponent_S = Encr(prf+(password, "EAP-EKE Password"), y_s),
> >> In -07, DHComponent_S is now protected with a "keyed MAC":
> >> DHComponent_S = Encr(kmac+(password), y_s)
> >> where kmac+() is defined as:
> >> kmac+(P) = T1 | T2 | ...
> >> where each Ti is an application of the keyed MAC with a fixed key:
> >> T1 = kmac("S"+, P | 0x01)
> >> T2 = kmac("S"+, T1 | P | 0x02)
> >> T3 = kmac("S"+, T2 | P | 0x03)
> >> Dan Harkins suggested an "extractor and expander" KDF, which I
> believe
> >> motivated this change. I think the use of a constant "salt" value
> used
> >> as a key in kmac+ approximates only the "extractor" function
> described
> >> in RFC 5869, and the output of an "extractor" is not intended to be
> the
> >> final KDF output. An "expander" function is necessary to follow the
> >> "extractor" function, and prf+ fits that description. So unless I'm
> >> mistaken, these section should define two calls: one to kmac() to
to
> >> create an intermediate value of the appropriate size, and the
> another
> >> that uses the intermediate value as the key to a prf+ call.
> >>
> >> I think it might be convenient to require the kmac+ and prf+
> algorithms
> >> be the same.
> >>
> >> 2. As far as I can tell, the definition of "kmac" is new to this I-
> D,
> >> which I found a bit confusing. It's really just a MAC, so I think
it
> >> would be clearer to just call it a mac().
> >>
> >> Brian
> >>
> >>
> >>
> >> _______________________________________________
> >> secdir mailing list
> >> secdir@ietf.org
> >> https://www.ietf.org/mailman/listinfo/secdir
> >
>