[SPKM] Comments on draft-adamson-rfc2847-bis-01
Eric Rescorla <ekr@networkresonance.com> Tue, 31 October 2006 03:38 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GekS2-0000vF-Na; Mon, 30 Oct 2006 22:38:10 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GekS1-0000t8-NK for spkm@ietf.org; Mon, 30 Oct 2006 22:38:09 -0500
Received: from laser.networkresonance.com ([198.144.196.2]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GekRx-0007Oq-0b for spkm@ietf.org; Mon, 30 Oct 2006 22:38:09 -0500
Received: from networkresonance.com (raman.networkresonance.com [198.144.196.3]) by laser.networkresonance.com (Postfix) with ESMTP id 9B3595C01E for <spkm@ietf.org>; Mon, 30 Oct 2006 19:41:05 -0800 (PST)
To: spkm@ietf.org
X-Mailer: MH-E 7.4.3; nmh 1.2; XEmacs 21.4 (patch 19)
Date: Mon, 30 Oct 2006 19:38:04 -0800
From: Eric Rescorla <ekr@networkresonance.com>
Message-Id: <20061031034105.9B3595C01E@laser.networkresonance.com>
X-Spam-Score: 1.1 (+)
X-Scan-Signature: 311e798ce51dbeacf5cdfcc8e9fda21b
Subject: [SPKM] Comments on draft-adamson-rfc2847-bis-01
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org
$Id: draft-adamson-rfc2487-bis-01-rev.txt,v 1.2 2006/10/30 22:47:13 ekr Exp $ BACKGROUND This document describes two new GSS mechanisms: - SPKM-3 -- an asymmetric key-based handshake and token protection scheme. - LIPKEY -- a client-side password based authentication scheme with server authentication via certificates. LIPKEY is a wrapper around SPKM-3. GENERAL COMMENTS 1. Algorithms Many of the algorithms described in this document should be replaced with more modern algorithms. For message integrity, this document specifies: HMAC-MD5 MD5/RSA SHA1/RSA DSA/SHA1 DES-MAC MD5-DES-CBC SUM64-DES-CBC The only ones of these algorithms that are appropriate for new standards are SHA1/RSA and DSA/SHA-1. Wang et al.'s results clearly imply that MD5 should be deprecated in all signature contexts and Kim et al's results [0] suggest that HMAC-MD5 at least shouldn't be put into new systems. HMAC-SHA1 is the appropriate replacement. For confidentiality, this document specifies: AES256-CBC AES128-CBC DES-EDE3-CBC cast5CBC These are probably all fine, but there's really no longer any reason to include CAST. It also appears that somehow DES-CBC is allowed. That's really not OK. The OWF specified here is simply SHA-1 with the inputs concatenated. Modern KDF designs almost always have the key being a separate input value. E.g., HMAC-SHA1(key, seed....). I suggest copying the TLS PRF, the IPsec KDF, or the NIST 800-56A KDF. 2. Incomplete specification In a number of cases, the only documentation for fields is cursory comments in the ASN.1. Every field should be explained in the main body of the text. 3. MAC/signature overloading In this document, symmetric MAC algorithms and asymmetric signature algorithms are used semi-interchangeably. That's a dangerous practice which tends to lead to confusion and brittle designs. AFAICT, the signature algorithm is used to authenticate the peers and the MAC algorithm is used to authenticate data packets. Is there really any need to *sign* data packets? If there is, it should be provided with a separate facility, esp. since the current design provides no way for one side to ask for a signature on specific packets and indeed discourages negotiating it (see S 2.3.1). 4. Multiple Negotiated algorithms This mechanism seems to result in negotiating the intersection of the acceptable algorithm sets. Why not just choose one algorithm and stick with it like IPsec and TLS do? This seems like it has obvious downgrade problems. DETAILED COMMENTS S 2.1. A ladder diagram of the protocol flows would really help here. S 2.3.2. A GSS mechanism need not support confidentiality. Making a confidentiality algorithm mandatory may preclude exportability of the mechanism implementation; this document therefore specifies certain Exportability hasn't been a major concern for quite some time. S 2.3.3. I don't understand how you upgrade to stronger groups, since the initiator sends its DH share before it talks to the server. How would you upgrade to ECC, for instance? S 2.4.1.1. Conf-Algs ::= CHOICE { algs [0] SEQUENCE OF AlgorithmIdentifier, null [1] NULL, -- used when conf. is not available over context ... } Why not just allow an empty sequence instead of NULL? If the SPKM-3 implementation supports an algorithm weaker than cast5CBC, cast5CBC MUST be listed before the weaker algorithm to encourage the target to negotiate the stronger algorithm. You shouldn't be specifying any algorithms weaker than cast5CBC. S 2.4.1.2. REP-TI-TOKEN ::= SEQUENCE { rep-ti-contents Rep-ti-contents, algId AlgorithmIdentifier, -- should be one of the digital signature algorithms rep-ti-integ Integrity, -- "token" is Rep-ti-contents ... } Is there some way for the peer to express which digital signature algorithms he wants? I don't see it. key-estb-id AlgorithmIdentifier OPTIONAL, -- used if target is changing key estb. algorithm (MUST be -- a member of initiators key-estb-set) I don't understand how this could happen. S 2.4.2.2. md5WithRsaEncryption is currently stipulated for the signing of context establishment tokens. Discrepancies involving modulus bitlength can be resolved through judicious use of the SPKM-GSS-ERROR token. The context initiator signs REQ-TOKEN using the strongest RSA it supports (e.g., 1024 bits). If the target is unable to verify signatures of this length, it sends SPKM-GSS- ERROR signed with the strongest RSA that it supports (e.g. 512). Furthermore, the target can include an appropriate minor_status value (GSS_SPKM_S_SG_WEAK_KEY). How does this work if the target has a key too big for the initiator and you're in anonymous mode? S 2.4.3.1. SPKM-MIC ::= SEQUENCE { mic-header Mic-Header, int-cksum BIT STRING, -- Checksum over header and data, calculated according to -- algorithm specified in int-alg field. ... } The word "checksum" really isn't appropriate here. As noted previously, I think it's a mistake to treat MACs and signatures as the same thing, but if you must, the right term here is "Message Integrity Check" (MIC). Mic-Header ::= SEQUENCE { tok-id INTEGER (257), -- shall contain 0101 (hex) context-id Random-Integer, int-alg [0] AlgorithmIdentifier OPTIONAL, -- Integrity algorithm indicator (MUST be one of the agreed -- integrity algorithms for this context). -- field not present = default id. snd-seq [1] SeqNum OPTIONAL, -- sequence number field. ... } Allowing switch-hitting of integrity algorithms seems problematic, since it basically forces one side to receive packets with the lowest jointly acceptable algorithm. Better to let the negotiation pick the single best one. S 2.8. I don't understand the bit about the algorithm numbers being specified by the mechanism specification. Is that this document? This may be obvious to people steeped in GSS, but a little more explanation might help. The weak/medium/strong values here are quite out of date. 40 bits is laughably weak. We should be deprecating these algorithms entirely. For the Confidentiality MA field: 0001 (1) = DES-CBC 0010 (2) = cast5CBC 0011 (3) = aes256-CBC I don't understand what happened to e.g., AES-128.... S 3. Slightly more introductory text here might help. E.g., LIPKEY provides a mechanism for having target authentication via certificates and client authentication via passwords. LIPKEY is a wrapper around SPKM-3. [0] http://eprint.iacr.org/2006/187 -Ekr _______________________________________________ SPKM mailing list SPKM@ietf.org https://www1.ietf.org/mailman/listinfo/spkm
- [SPKM] Comments on draft-adamson-rfc2847-bis-01 Eric Rescorla