Re: [TLS] Design Alternatives for Kerberos + DH
Rick van Rein <rick@openfortress.nl> Mon, 19 October 2015 09:12 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED3131A878B for <tls@ietfa.amsl.com>; Mon, 19 Oct 2015 02:12:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WjjgQ9SB8yjM for <tls@ietfa.amsl.com>; Mon, 19 Oct 2015 02:12:51 -0700 (PDT)
Received: from lb1-smtp-cloud3.xs4all.net (lb1-smtp-cloud3.xs4all.net [194.109.24.22]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCBDE1A8760 for <tls@ietf.org>; Mon, 19 Oct 2015 02:12:50 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud3.xs4all.net with ESMTP id WxCn1r00F10HQrX01xCoGh; Mon, 19 Oct 2015 11:12:48 +0200
Message-ID: <5624B40D.4080504@openfortress.nl>
Date: Mon, 19 Oct 2015 11:12:45 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Benjamin Kaduk <bkaduk@akamai.com>
References: <56212653.6050702@openfortress.nl> <1177744771.34157013.1445030003104.JavaMail.zimbra@redhat.com> <56216D37.1050701@akamai.com> <5621EF30.8040300@openfortress.nl> <5622857D.90304@akamai.com> <5623528B.7000302@openfortress.nl> <5624553A.8090103@akamai.com>
In-Reply-To: <5624553A.8090103@akamai.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/XF-teFRkO_F0EDYCeSjQO1TbfPs>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Design Alternatives for Kerberos + DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2015 09:12:53 -0000
Hello Benjamin / TLS WG, I didn't mean to drop the list, so your full response is hereby included. >>> No, mutual authentication requires the client to receive a message from >>> the server. >> Yes, I know -- the server needs to handle the session key or the subkey >> to prove posession of its KDC-stored service key. By using it, the client >> can be convinced or server identity. > > Good to hear. Other readers, perhaps, did not. >>> This could be implicit >> I think it automatically is with TLS, since the Finished messages won't >> succeed until both parties have derived the same master secret, which >> if it involves the session key or subkey proves the server's identity in an >> implicit manner. > > From just your short descriptions, it was unclear to me what exactly > went into the master secret from the Kerberos side, so I wanted to be sure. Yes, balancing with terseness. The master secret is calculated as always, incorporating the pre-master secret as well as client/server random and, under RFC 7627, all of the handshake messages up to and including ClientKeyExchange. The pre-master is the combination of the ECDH shared secret and the session key(s) from Kerberos. For the latter, we can choose one or more from: * The session key generated by the KDC for this client/server combination session (lasting as long as the service ticket, usually about a day) * A subkey inserted into the Authenticator by the client for this particular connection (which can avoid replay during ticket life) * Possibly: a random byte string from the server, "decrypted" with the session key, to form a connection-specific key that hinges on server-side entropy I think my preference would be a combination of 2nd and 3rd because that incorporates entropy from both sides; although entropy from both sides is also incorporated through the ClientHello and ServerHello Random bytes, these are not encrypted to conceal it from MITM as in the 2nd and 3rd options. This is a bit paranoid perhaps --the ECDH mechanism achieves a similar thing already-- but the appeal of 2nd and 3rd as very light-weight and makes it much more difficult to crack. >> I do believe a long-enough Finished message is required though. For >> the TLS_ECDHE_KRB_ CipherSuites I've proposed a verify_data_lenth >> to match the required certainty from the message; if we mix Kerberos >> client "certificates" info other CipherSuites like TLS_ECDHE_RSA_ then >> a client SHOULD negotiate a high-enough value and the server MUST >> support that. It requires TLS 1.2 to do these things. >> > > Well, hmm, that's an interesting question. (Note, of course, that the > current Kerberos AES enctypes only use 96 bits of HMAC-SHA1 for their > MIC.) Keyed hashes such as HMAC-SHA1 don't seem to add much here, and they would have a grave impact on how the hashes are calculated in TLS stacks (because the key is only known later in the exchange). I would suggest that we follow TLS' hash preferences, since we are going to rely on those hashes having been computed through the prior exchange of TLS messages, and add those to the IANA Registry for Kerberos Checksum Type Numbers; this currently includes SHA1 and I doubt that anyone would protest to extensions with stronger unkeyed hashes. > The client can obtain information indicating that the server has > the correct Kerberos key both from the decrypted contents of the > Finished message I assume you meant "by matching the Finished message with one generated locally". > and also from the integrity protection of the > TLSCiphertext, since both use material derived from the master secret. Yes, TLSCiphertext is also protected, but my main concern is with Finished, because I would not like accept a TLS connection under doubtful circumstances, just to be OK when an application only sets up TLS as a means of authentication. With the longer Finished messages, that would not happen. > So I guess I'm not yet convinced that the verify_data_length should be > twice the bitlength of the negotiated symmetric cipher, but perhaps I'm > missing something obvious. I'm not sure if it should be 1x or 2x the cipher length. Most important to me is that it must be longer than the 12 bytes that were standard up to TLS 1.1 and default in TLS 1.2. -RIck
- Re: [TLS] Design Alternatives for Kerberos + DH Paul Wouters
- [TLS] Design Alternatives for Kerberos + DH Rick van Rein
- Re: [TLS] Design Alternatives for Kerberos + DH Benjamin Kaduk
- Re: [TLS] Design Alternatives for Kerberos + DH Nikos Mavrogiannopoulos
- Re: [TLS] Design Alternatives for Kerberos + DH Benjamin Kaduk
- Re: [TLS] Design Alternatives for Kerberos + DH Rick van Rein
- Re: [TLS] Design Alternatives for Kerberos + DH Rick van Rein
- Re: [TLS] Design Alternatives for Kerberos + DH Rick van Rein
- Re: [TLS] Design Alternatives for Kerberos + DH Karthikeyan Bhargavan
- Re: [TLS] Design Alternatives for Kerberos + DH Nikos Mavrogiannopoulos
- Re: [TLS] Design Alternatives for Kerberos + DH Benjamin Kaduk
- Re: [TLS] Design Alternatives for Kerberos + DH Rick van Rein
- Re: [TLS] Design Alternatives for Kerberos + DH Rick van Rein