IETF Logo Mail Archive

Re: [TLS] I-D: CipherSuites for Kerberos + DH

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 12 October 2015 10:36 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43E891A6FBE for <tls@ietfa.amsl.com>; Mon, 12 Oct 2015 03:36:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aPmHWxk5idsn for <tls@ietfa.amsl.com>; Mon, 12 Oct 2015 03:36:54 -0700 (PDT)
Received: from filtteri1.pp.htv.fi (filtteri1.pp.htv.fi [213.243.153.184]) by ietfa.amsl.com (Postfix) with ESMTP id 963E81A6FBC for <tls@ietf.org>; Mon, 12 Oct 2015 03:36:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by filtteri1.pp.htv.fi (Postfix) with ESMTP id 291CD21C4A4; Mon, 12 Oct 2015 13:36:51 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from smtp5.welho.com ([213.243.153.39]) by localhost (filtteri1.pp.htv.fi [213.243.153.184]) (amavisd-new, port 10024) with ESMTP id wXTJEnlIVKYh; Mon, 12 Oct 2015 13:36:50 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp5.welho.com (Postfix) with ESMTPSA id DBF4E5BC011; Mon, 12 Oct 2015 13:36:50 +0300 (EEST)
Date: Mon, 12 Oct 2015 13:36:50 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Rick van Rein <rick@openfortress.nl>
Message-ID: <20151012103650.GA28213@LK-Perkele-V2.elisa-laajakaista.fi>
References: <561A0ED6.1000505@openfortress.nl> <20151011121701.GA26616@LK-Perkele-V2.elisa-laajakaista.fi> <CACsn0c=0dFpaRyiSsErVg_2cuco6M8mMgMS3YHLpxYEuH_82kw@mail.gmail.com> <561B419D.4010009@openfortress.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <561B419D.4010009@openfortress.nl>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NOKr9jN7a-5J-auskrR2SrzHmrU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D: CipherSuites for Kerberos + DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2015 10:36:56 -0000

On Mon, Oct 12, 2015 at 07:14:05AM +0200, Rick van Rein wrote:

> Hello,
> 
> Thanks for the feedback.  Responding to it:
> 
> Ilari>   - The signed DH share does not look to be bound to anything (crypto
> Ilari>   parameters negotiation, randoms, server key exchange, etc..).
> 
> This is indeed easy to miss; it relies on Kerberos infra to deliver a
> short-lived session key to only the proper TLS client and TLS server.
> The ticket is part of this key delivery, and can travel over untrusted
> networks.
> 
> A alternative option to fighting MITM could be to include (a hash of)
> the server-sent DH offer in the Authenticator.  Only the Kerberos-
> authenticated TLS server can decrypt it, making it detect MITM.  Is
> that considered benefial?

If I was to do things like the current proposal (as opposed to
overloading DHE-PSK), I would put in hash of entiere client and server
first flights.

Otherwise things get "interesting" when considering tweaking handshake
or replaying the encrypted CKE. And "interesting" in crypto is not good.
 
> Ilari>   I can't
> Ilari>   offhand say what that would lead to, but it looks even worse than
> Ilari>   TLS ServerKeyExchange, which has known vulernabilities due to
> Ilari>   lack of binding to things like ciphersuite.
> 
> Have I taken away these concerns?  Pointers to the known vulnerabilities
> are welcome, of course.  I'm not sure what you would like to bind to
> CipherSuites.

The SKE security issue (SKE isn't bound to the ciphersuite) has surfaced
at least three times:

1) The DHE/ECDHE confusion.
2) FREAK
3) Logjam

> Watson>   I would suggest piggybacking on the PSK mode, using the key Kerberos
> Watson>   provides at both ends as the PSK key. This would address all of these
> Watson>   issues in TLS 1.3
> 
> You mean to add the short-lived session key to the pre-master secret, right?
> 
> I have a (weak) preference to leave that key behind the API to help
> it being better protected.  Also, I don't think it adds much to
> the security explained above.

I think he means stuffing the key from kerberos as PSK input in
(EC)DHE-PSK ciphersuite.

The security properties of that are much more straightforward than
properties of present proposal.
 
> Ilari>   - Even use of DH is questionable.
> 
> This is mod-exp DH, on account of its need for very large keys, right?
> 
> I would love to take it out, and only leave ECDH; I put up mod-exp DH
> initially because it might be desired for backward compatibility.  If
> I hear no warm-felt desire for mod-exp DH I will gladly remove it.

Backward compatiblity? I don't think you need such thing with proposal
like this.


-Ilari

v2.23.0 | Report a Bug | By Email