[secdir] secdir review of draft-ietf-curdle-gss-keyex-sha2-07

David Mandelberg <david@mandelberg.org> Mon, 31 December 2018 19:57 UTC

Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 25487130EF3 for <secdir@ietfa.amsl.com>; Mon, 31 Dec 2018 11:57:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mandelberg.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id NHIRWvoX6OQk for <secdir@ietfa.amsl.com>; Mon, 31 Dec 2018 11:57:28 -0800 (PST)
Received: from smtp.rcn.com (smtp.rcn.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28914130F0A for <secdir@ietf.org>; Mon, 31 Dec 2018 11:57:27 -0800 (PST)
X_CMAE_Category: , ,
X-CNFS-Analysis: v=2.2 cv=GI9KKaFK c=1 sm=1 tr=0 a=OXtaa+9CFT7WVSERtyqzJw==:117 a=OXtaa+9CFT7WVSERtyqzJw==:17 a=KGjhK52YXX0A:10 a=IkcTkHD0fZMA:10 a=NTnny0joGdQA:10 a=2ur7OfE09M0A:10 a=bmmO2AaSJ7QA:10 a=BTUBnpS-AAAA:8 a=TPLd9O6Y13ttJ8cbTIcA:9 a=QEXdDO2ut3YA:10 a=pblkFgjdBCuYZ9-HdJ6i:22
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
X-Authed-Username: ZHNlb21uQHJjbi5jb20=
Authentication-Results: smtp02.rcn.cmh.synacor.com smtp.mail=david@mandelberg.org; spf=softfail; sender-id=softfail
Authentication-Results: smtp02.rcn.cmh.synacor.com header.DKIM-Signature=@mandelberg.org; dkim=pass
Authentication-Results: smtp02.rcn.cmh.synacor.com header.from=david@mandelberg.org; sender-id=softfail
Authentication-Results: smtp02.rcn.cmh.synacor.com smtp.user=dseomn@rcn.com; auth=pass (LOGIN)
Received: from [] ([] helo=uriel.mandelberg.org) by smtp.rcn.com (envelope-from <david@mandelberg.org>) (ecelerity r(Core: with ESMTPSA (cipher=DHE-RSA-AES256-GCM-SHA384) id 94/32-44058-2A47A2C5; Mon, 31 Dec 2018 14:57:22 -0500
Received: from [] (DD-WRT []) by uriel.mandelberg.org (Postfix) with ESMTPSA id 6EB4A1C6060; Mon, 31 Dec 2018 14:57:21 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mandelberg.org; s=201809; t=1546286241; bh=9cyBzV2T4S6n9S3Rx7FEp87+2rZxd9Rd4NqHnUuDOTQ=; h=To:From:Subject:Date:From; b=c0XgSBn669JTZ1xWgCdOgGzE4Zc2AfMomXOaxSbVcLHYhXUme7+Lenzqub4/J7pEX waLj6jv2B/vj8z4fYr5H/+OxswU5ICfTeFheRm+UXkV/f5rXiRpCw2zpI0vvqIpcAp MDXmKtXMRreXJhE7PHeT1TdioiSfv4Ew7T0ALR9TlTRO1IxShPUJxATkJeXfnylIm8 tWHUnM+YuzbQ10RaVGGWpAijopzAsHqNRAVNotBohpocAiBvyONBVB31erKjbskwJ/ /Rxc6awNAVJe5e8PxvLS+cl4apbYRlu+re3Tklw6h4gf6KmyjaV3nKmgqu63ufXA7w JRKZNTWB/EtJw==
To: draft-ietf-curdle-gss-keyex-sha2.all@ietf.org, iesg@ietf.org, secdir@ietf.org
From: David Mandelberg <david@mandelberg.org>
Message-ID: <d27185fb-17ea-f84b-4c33-ea2ba2f50637@mandelberg.org>
Date: Mon, 31 Dec 2018 14:57:19 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/xG1d3XhQMsUNS6UmsMKSj6zxYcQ>
Subject: [secdir] secdir review of draft-ietf-curdle-gss-keyex-sha2-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Dec 2018 19:57:30 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Ready with nits. I have a few questions 
below about the security of this document, but each area I have a 
question about seems to be mostly copied from an established RFC rather 
than new to this draft.

Sections 4 and 5.2: Are you relying on MD5 for any security properties? 
Can anything bad happen if an attacker finds a collision?

Section 5.1: When calculating H, are the boundaries between each 
concatenated thing clear? E.g., would V_C = "1.21" V_S = "0.1" and V_C = 
"1.2" V_S = "10.1" result in the same value for H?

Section 5.1: I assume H or mic_token is used elsewhere to thwart an 
active MITM? From what I see here, everything hashed into H other than K 
is public, so an active MITM could generate different H values for 
different K values for the two sides.