Re: [secdir] secdir review of draft-ietf-curdle-gss-keyex-sha2-07

David Mandelberg <david@mandelberg.org> Tue, 01 January 2019 20:33 UTC

Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FE8D129A87 for <secdir@ietfa.amsl.com>; Tue, 1 Jan 2019 12:33:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mandelberg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id osPJUBEEZIXu for <secdir@ietfa.amsl.com>; Tue, 1 Jan 2019 12:33:36 -0800 (PST)
Received: from smtp.rcn.com (smtp.rcn.com [69.168.97.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF356129C6A for <secdir@ietf.org>; Tue, 1 Jan 2019 12:33:34 -0800 (PST)
X_CMAE_Category: , ,
X-CNFS-Analysis: v=2.2 cv=aqzwMmRV c=1 sm=1 tr=0 a=OXtaa+9CFT7WVSERtyqzJw==:117 a=OXtaa+9CFT7WVSERtyqzJw==:17 a=KGjhK52YXX0A:10 a=IkcTkHD0fZMA:10 a=NTnny0joGdQA:10 a=3JhidrIBZZsA:10 a=bmmO2AaSJ7QA:10 a=BTUBnpS-AAAA:8 a=KLlQBJra5XYmiPl-zaAA:9 a=QEXdDO2ut3YA:10 a=pblkFgjdBCuYZ9-HdJ6i:22
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
X-Authed-Username: ZHNlb21uQHJjbi5jb20=
Authentication-Results: smtp01.rcn.cmh.synacor.com smtp.mail=david@mandelberg.org; spf=softfail; sender-id=softfail
Authentication-Results: smtp01.rcn.cmh.synacor.com header.DKIM-Signature=@mandelberg.org; dkim=pass
Authentication-Results: smtp01.rcn.cmh.synacor.com header.from=david@mandelberg.org; sender-id=softfail
Authentication-Results: smtp01.rcn.cmh.synacor.com smtp.user=dseomn@rcn.com; auth=pass (LOGIN)
Received: from [209.6.43.168] ([209.6.43.168:58424] helo=uriel.mandelberg.org) by smtp.rcn.com (envelope-from <david@mandelberg.org>) (ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTPSA (cipher=DHE-RSA-AES256-GCM-SHA384) id 17/E2-32266-D9ECB2C5; Tue, 01 Jan 2019 15:33:33 -0500
Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 52D891C605C; Tue, 1 Jan 2019 15:33:32 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mandelberg.org; s=201809; t=1546374812; bh=bL60RFE2fAI22NdlF2fnu9oZfKXxt9YYKbZpJZMqb8A=; h=Subject:To:References:From:Date:In-Reply-To:From; b=f/cwaiiUpOveEmzMBJk9tvjLiLU7weZvL3mF2G96/+FmwkCa6PEc/9k8sEOOKKYry 6rdzQbHemqwz6gXaNUEX9AwCd2+zs5MD+NBx2jpS0NgF8a42RgC0Dh2xulVdX044GZ wMHZg4XHUqOaEeooFmSZBTbXi+kYHc+8K3HUnBmIP0JiIbCJ44p+oVCGaSDCQeAbf3 6lm8VfgRGXsjUSiAo5PxRpAiis+iayLFzMVjvCD3jYn03MV5lQQ0w/olfzWPGBjd9w b6HnD1uWflt8Aj8OkpkJvDTTyHHl0adQGHJcbxUd5SIT+H4HiZtUFPy7XWSC7/YW7u 97DwtdguOmLjw==
To: Simo Sorce <simo@redhat.com>, draft-ietf-curdle-gss-keyex-sha2.all@ietf.org, iesg@ietf.org, secdir@ietf.org
References: <d27185fb-17ea-f84b-4c33-ea2ba2f50637@mandelberg.org> <c2b59fec7c229f5ee1dc5297b1b4a92a5f0d7c17.camel@redhat.com>
From: David Mandelberg <david@mandelberg.org>
Message-ID: <e99a19cd-6e21-f859-db68-23cdd20c1e25@mandelberg.org>
Date: Tue, 1 Jan 2019 15:33:31 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <c2b59fec7c229f5ee1dc5297b1b4a92a5f0d7c17.camel@redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/wCU6ngTZDo-rWYZwaUXGyqAVN24>
Subject: Re: [secdir] secdir review of draft-ietf-curdle-gss-keyex-sha2-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jan 2019 20:33:38 -0000

On 1/1/19 9:06 AM, Simo Sorce wrote:
> On Mon, 2018-12-31 at 14:57 -0500, David Mandelberg wrote:
>> Section 5.1: When calculating H, are the boundaries between each
>> concatenated thing clear? E.g., would V_C = "1.21" V_S = "0.1" and V_C =
>> "1.2" V_S = "10.1" result in the same value for H?
> 
> All else equal I think it would

Ok. I don't have any specific attacks in mind, but that seems like a 
potential weak point. This probably isn't the right document to change 
that in though.


>> Section 5.1: I assume H or mic_token is used elsewhere to thwart an
>> active MITM? From what I see here, everything hashed into H other than K
>> is public, so an active MITM could generate different H values for
>> different K values for the two sides.
> 
> the MIC around H is used to assure no tampering of messages happened.
> Anti-MITM properties are conferred by the GSSAPI exchange which is
> mutually authenticated.
> In order to perform a MITM an attacker need to get hold of both parties
> keys (a GSSAPI exchange does not use public/private or DH, it is a KDC
> mediated exchange using only symmetric keys).

Sounds good, thanks for the explanation.


-- 
https://david.mandelberg.org/