Re: [secdir] secdir review of draft-ietf-curdle-gss-keyex-sha2-07

Jeffrey Hutzelman <jhutz@cmu.edu> Tue, 01 January 2019 22:13 UTC

Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B56C8130DC1; Tue, 1 Jan 2019 14:13:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gzu1nog52Om8; Tue, 1 Jan 2019 14:13:35 -0800 (PST)
Received: from relay-exchange.andrew.cmu.edu (RELAY-EXCH-05.ANDREW.CMU.EDU [128.2.157.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E30E2129BBF; Tue, 1 Jan 2019 14:13:34 -0800 (PST)
Received: from dcns-msgp-01.andrew.ad.cmu.edu (DCNS-MSGP-01.ANDREW.AD.CMU.EDU [128.2.157.85]) by relay-exchange.andrew.cmu.edu (8.15.2/8.15.2) with ESMTPS id x01MDTo6023262 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 1 Jan 2019 17:13:29 -0500
Received: from dcns-msgp-03.andrew.ad.cmu.edu (128.2.157.87) by dcns-msgp-01.andrew.ad.cmu.edu (128.2.157.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1591.10; Tue, 1 Jan 2019 17:13:28 -0500
Received: from dcns-msgp-03.andrew.ad.cmu.edu ([128.2.157.87]) by dcns-msgp-03.andrew.ad.cmu.edu ([128.2.157.87]) with mapi id 15.01.1591.008; Tue, 1 Jan 2019 17:13:28 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: David Mandelberg <david=40mandelberg.org@dmarc.ietf.org>, Simo Sorce <simo@redhat.com>, "draft-ietf-curdle-gss-keyex-sha2.all@ietf.org" <draft-ietf-curdle-gss-keyex-sha2.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: [secdir] secdir review of draft-ietf-curdle-gss-keyex-sha2-07
Thread-Index: AQHUoUMUHwl08B2MXUm7QLQuuiqmK6Wax6aAgABsKYD//8YKXw==
Date: Tue, 1 Jan 2019 22:13:28 +0000
Message-ID: <7167ade4a5f34131b0febdbf838ed1fe@cmu.edu>
References: <d27185fb-17ea-f84b-4c33-ea2ba2f50637@mandelberg.org> <c2b59fec7c229f5ee1dc5297b1b4a92a5f0d7c17.camel@redhat.com>, <116626_1546374823_x01KXf1b120191_e99a19cd-6e21-f859-db68-23cdd20c1e25@mandelberg.org>
In-Reply-To: <116626_1546374823_x01KXf1b120191_e99a19cd-6e21-f859-db68-23cdd20c1e25@mandelberg.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [128.2.42.4]
Content-Type: multipart/alternative; boundary="_000_7167ade4a5f34131b0febdbf838ed1fecmuedu_"
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.78 on 128.2.157.24
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/zYs_scoNhzuKdvwJi_2Z4FdRAtk>
Subject: Re: [secdir] secdir review of draft-ietf-curdle-gss-keyex-sha2-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jan 2019 22:13:37 -0000

Actually, this is not an issue. The value H is the SSH exchange hash, which is a common element across all key exchange methods. It is discussed in detail on the following page, which I think makes it clear that the hash is over a concatenation of a number of items of type 'string', except for K, which is an mpint. These types and their representations are described in RFC4251 section 5. In particular, 'string' is a counted string, so no, the cases you describe do not result in the same value for H.


-- Jeff


________________________________
From: secdir <secdir-bounces@ietf.org>; on behalf of David Mandelberg <david=40mandelberg.org@dmarc.ietf.org>;
Sent: Tuesday, January 1, 2019 3:33 PM
To: Simo Sorce; draft-ietf-curdle-gss-keyex-sha2.all@ietf.org; iesg@ietf.org; secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-curdle-gss-keyex-sha2-07

On 1/1/19 9:06 AM, Simo Sorce wrote:
> On Mon, 2018-12-31 at 14:57 -0500, David Mandelberg wrote:
>> Section 5.1: When calculating H, are the boundaries between each
>> concatenated thing clear? E.g., would V_C = "1.21" V_S = "0.1" and V_C =
>> "1.2" V_S = "10.1" result in the same value for H?
>
> All else equal I think it would

Ok. I don't have any specific attacks in mind, but that seems like a
potential weak point. This probably isn't the right document to change
that in though.