Re: [TLS] I-D: CipherSuites for Kerberos + DH
Watson Ladd <watsonbladd@gmail.com> Tue, 13 October 2015 15:06 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15AE91B4692 for <tls@ietfa.amsl.com>; Tue, 13 Oct 2015 08:06:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pwMLPhEfFfcv for <tls@ietfa.amsl.com>; Tue, 13 Oct 2015 08:06:47 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 553381B468F for <tls@ietf.org>; Tue, 13 Oct 2015 08:06:47 -0700 (PDT)
Received: by wijq8 with SMTP id q8so36382323wij.0 for <tls@ietf.org>; Tue, 13 Oct 2015 08:06:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JiyC2nJwzmXY9gEj6Mf2vGlWWUSB4qL9SyfeVsK8ono=; b=sfq2Op14APJhRtJY7DqcJZ9HZue8kO154ujdkykMczO6tPjib+QSwK0LDu55sAekA3 ZpRK5mAI3uWgo27QhuuK0cH+NMGpINcKczbRS+f9uabH5/1GF0e81xh1TxXaer+0b8XM 8JmBFHVVpNoP9+9iZMl0e/OquBVPyigLE1SSCeIgdLMQ92O1y2Pziqqn2bCWJi4SH0Th ea47IFah/RGZXo4XELqFnzKGEDCXXozrNzrCSwBCjuXRs8E824urrU1Ke9LbJcYzNzaL XgqXfQeatHuPk6K/PxAvYRQ0bMFdS6llcWUG11ZuOxp4t2uWAzk6HCJjiJW4wECNMHg5 OPVQ==
MIME-Version: 1.0
X-Received: by 10.180.23.231 with SMTP id p7mr22338074wif.30.1444748777021; Tue, 13 Oct 2015 08:06:17 -0700 (PDT)
Received: by 10.28.51.145 with HTTP; Tue, 13 Oct 2015 08:06:16 -0700 (PDT)
In-Reply-To: <561C39FB.6060206@akamai.com>
References: <561A0ED6.1000505@openfortress.nl> <20151011121701.GA26616@LK-Perkele-V2.elisa-laajakaista.fi> <CACsn0c=0dFpaRyiSsErVg_2cuco6M8mMgMS3YHLpxYEuH_82kw@mail.gmail.com> <561C39FB.6060206@akamai.com>
Date: Tue, 13 Oct 2015 11:06:16 -0400
Message-ID: <CACsn0cn5v2gP5PgrUP1E-Rq9D9_gQ_DRuzTq3BUxiUWkktLDeA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Ht0uGEl7FsxCbwZkUtFQlYJpKnA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D: CipherSuites for Kerberos + DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2015 15:06:49 -0000
On Mon, Oct 12, 2015 at 6:53 PM, Benjamin Kaduk <bkaduk@akamai.com> wrote: > On 10/11/2015 08:46 AM, Watson Ladd wrote: >> On Sun, Oct 11, 2015 at 8:17 AM, Ilari Liusvaara >> <ilariliusvaara@welho.com> wrote: >>> Some quick comments: >>> - The signed DH share does not look to be bound to anything (crypto >>> parameters negotiation, randoms, server key exchange, etc..). I can't >>> offhand say what that would lead to, but it looks even worse than >>> TLS ServerKeyExchange, which has known vulernabilities due to >>> lack of binding to things like ciphersuite. >>> - The ciphersuite list looks bad: 1) IDEA (bad idea), CBC >>> (don't use), apparent SHA-1 prf-hash (REALLY bad idea)[1][2]. >>> - Even use of DH is questionable. >> I would suggest piggybacking on the PSK mode, using the key Kerberos >> provides at both ends as the PSK key. This would address all of these >> issues in TLS 1.3 >> > > This would seem to require an application protocol doing some Kerberos > exchanges up front to establish the Kerberos session key before pivoting > into TLS-PSK in a STARTLS-esque fashion. If that's what the application > protocol would look like, it seems like there's no reason not to go > full-on GSSAPI with GSS_Pseudo_random to extract a PSK on both sides. > > This proposal (as complicated as it is, and I'm not sure that I'm > entirely comfortable with it yet) has the comparative advantage that the > application speaks TLS from the start, with the Kerberos messages > included in the TLS CKE. In that sense, at least, it is elegant. It would (modulo some work by me, which is unlikely to get done) be possible to do this with the PSK-ECDH extension: have the first two messages contain information used to derive the PSK, which is used to authenticate in the same manner in the second round. The problem here is that TLS is not a catchall "Transport Layer Security" capable of taking any sort of desired key exchanges and producing a secure protocol from them, but instead requires a lot of annoying work to ensure the proofs go through. Mike Hamburg has presented Keccak based designs that do do this, and TLS 1.3 by default does a lot better with this. > > This proposal also includes a generic mechanism for the server to > indicate what service type and hostname should be used in constructing > the host-based service principal name for Kerberos, which is useful -- > the convention for that would otherwise have to be baked into the > application protocol. The considerations around client anonymity and a > protocol for the server to convey its expectations are also interesting, > though I'm not sure I would have put it in the -00 if it was my own > document. > > There are some nits in the Kerberos bits that I might mention over on > kitten. > > -Ben > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Ilari Liusvaara
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Watson Ladd
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Eric Rescorla
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Paul Wouters
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Hugo Krawczyk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Ilari Liusvaara
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Benjamin Kaduk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Benjamin Kaduk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Watson Ladd