Re: [TLS] Design Alternatives for Kerberos + DH
Benjamin Kaduk <bkaduk@akamai.com> Fri, 16 October 2015 21:34 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D82231B2C32 for <tls@ietfa.amsl.com>; Fri, 16 Oct 2015 14:34:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EAGwpKKdgYmU for <tls@ietfa.amsl.com>; Fri, 16 Oct 2015 14:33:53 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id EC0D61B3413 for <tls@ietf.org>; Fri, 16 Oct 2015 14:33:44 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 0530F433517; Fri, 16 Oct 2015 21:33:44 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id E3325433516; Fri, 16 Oct 2015 21:33:43 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1445031223; bh=C0G12fDohob04CfP/QMy4BYvdy7oD6Sq8qpCBL8TwtM=; l=1912; h=To:References:Cc:From:Date:In-Reply-To:From; b=IVBy/a946+JfHV22A7CX2v0zFSDxkH9BwolZ3DC4DdygBslYeqTyuPmydLV1WkX7R 22QYFRi+S0zEMBsWa6aCtvozwnyX1cJibgK6OOeYbBUjP/c+s0ENQA07m+suFnwlBC zby37N8NDsMp0rcvibZke/1F2Ro90nw9Yo6pzVF0=
Received: from [172.19.0.25] (bos-lpczi.kendall.corp.akamai.com [172.19.0.25]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id A691F204E; Fri, 16 Oct 2015 21:33:43 +0000 (GMT)
To: Nikos Mavrogiannopoulos <nmav@redhat.com>, Rick van Rein <rick@openfortress.nl>
References: <56212653.6050702@openfortress.nl> <1177744771.34157013.1445030003104.JavaMail.zimbra@redhat.com>
From: Benjamin Kaduk <bkaduk@akamai.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56216D37.1050701@akamai.com>
Date: Fri, 16 Oct 2015 16:33:43 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <1177744771.34157013.1445030003104.JavaMail.zimbra@redhat.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/H2zlKhXgWHb_1jgaj1CVuH0_7X4>
Cc: tls@ietf.org
Subject: Re: [TLS] Design Alternatives for Kerberos + DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 21:34:01 -0000
On 10/16/2015 04:13 PM, Nikos Mavrogiannopoulos wrote: > ----- Original Message ----- >> Hello, >> 3) Similar to OpenPGP: Negotiate cert-type >> >> There is a cert-type for X.509 and for OpenPGP; add one for Kerberos Tickets. >> PRO: Good integration with TLS: Tickets are transported in the >> ClientCertificate, and an Authenticator is the ClientVerify. DH is >> independent and can move to the earlier phase for TLS 1.3. >> CON: Decision on client credential type must be made in ClientHello, when not >> all data may be available (namely, the sequence of tickets leading to the >> TLS-protected service). Also impacts the cert-type used in the ServerCert. > > What messages do you need to transfer for Kerberos? Is it only a ping-pong? In that > case, do the supplemental data from RFC4680 provide a solution with PSK in TLS 1.2? > 4680 says "[a]ny such data MUST NOT need to be processed by the TLS protocol.", which seems to disqualify it from applicability here. In any case, the messages needed for Kerberos vary somewhat depending on the desired properties. When using Kerberos solely for client authentication, the combination of a Ticket and Authenticator is valid as essentially a bearer token within the clock skew window of five minutes and subject to replay. The client (or server, or both) can pick a subsession key encrypted by the session key in the Ticket, and if another message is passed that uses a subsession key for confidentiality/integrity (such as a response from the server to perform "mutual" (i.e., server) authentication, then there is less need for a replay cache. An additional key-confirmation message to validate the server-selected subsession key (such as actual application traffic being encrypted in that key) is helpful for the security analysis, but not always available depending on the constraints of the application protocol. -Ben
- Re: [TLS] Design Alternatives for Kerberos + DH Paul Wouters
- [TLS] Design Alternatives for Kerberos + DH Rick van Rein
- Re: [TLS] Design Alternatives for Kerberos + DH Benjamin Kaduk
- Re: [TLS] Design Alternatives for Kerberos + DH Nikos Mavrogiannopoulos
- Re: [TLS] Design Alternatives for Kerberos + DH Benjamin Kaduk
- Re: [TLS] Design Alternatives for Kerberos + DH Rick van Rein
- Re: [TLS] Design Alternatives for Kerberos + DH Rick van Rein
- Re: [TLS] Design Alternatives for Kerberos + DH Rick van Rein
- Re: [TLS] Design Alternatives for Kerberos + DH Karthikeyan Bhargavan
- Re: [TLS] Design Alternatives for Kerberos + DH Nikos Mavrogiannopoulos
- Re: [TLS] Design Alternatives for Kerberos + DH Benjamin Kaduk
- Re: [TLS] Design Alternatives for Kerberos + DH Rick van Rein
- Re: [TLS] Design Alternatives for Kerberos + DH Rick van Rein