IETF Logo Mail Archive

Re: [TLS] Design Alternatives for Kerberos + DH

Rick van Rein <rick@openfortress.nl> Sat, 17 October 2015 08:17 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B74341A8F34 for <tls@ietfa.amsl.com>; Sat, 17 Oct 2015 01:17:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_82=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhdte5wb4hKQ for <tls@ietfa.amsl.com>; Sat, 17 Oct 2015 01:17:56 -0700 (PDT)
Received: from lb3-smtp-cloud2.xs4all.net (lb3-smtp-cloud2.xs4all.net [194.109.24.29]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF2811A8BC5 for <tls@ietf.org>; Sat, 17 Oct 2015 01:17:55 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id W8Hs1r00910HQrX018HtDt; Sat, 17 Oct 2015 10:17:53 +0200
Message-ID: <5622042D.4050200@openfortress.nl>
Date: Sat, 17 Oct 2015 10:17:49 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
References: <56212653.6050702@openfortress.nl> <A35BE5FA-DF42-44D6-99C1-A41D911BD019@inria.fr>
In-Reply-To: <A35BE5FA-DF42-44D6-99C1-A41D911BD019@inria.fr>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/errxPTJuNvcNt_C24nVsV_qJLv0>
Cc: tls@ietf.org
Subject: Re: [TLS] Design Alternatives for Kerberos + DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2015 08:17:58 -0000

Hi Karthikeyan,


> I don’t fully understand the constraints of the Kerberos+DH use-case, but using DHE-PSK seems like the best idea.


It certainly has some virtue to view Kerberos as a preshared key (on
steroids).  But let me explain what bothers me about that appraoch :-

* PSK was designed to carry "hints", not "wrapped-up keys".  It feels
like we'd not be using it entirely properly.

* To avoid replay without (distributed) replay-protection caches, we
need a ping-pong exchange.  PSK sends back a literal copy of what it got
sent, which means that we cannot send back a cryptographic reply. 
Normally, we would do just that in the Kerberos Application Protocol. 
When we have an Authenticator in a separate ClientVerify message, it
automatically ranges over all past TLS messages, incorporating DH,
server random and the Ticket that is being proposed.  With the PSK
approach, it all gets stuffed into one TLS message and we'll be defining
things that are not in line with generic structures for TLS.

* PSK carries untyped information.  This means that a client and server
need out-of-band agreement on the meaning of the PSK format.  And we
probably agree that educated guesses based on magic numbers are not good
for a security protocol.  This means that use of PSK is limited to
pre-arranged client/server combinations.  Meanwhile, Kerberos is hoping
to expand to make clients and services authenticate even when they have
never met before.

> The planned session resumption mechanism for TLS 1.3 also uses DHE-PSK, and uses a session ticket mechanism
> that is not so far from the Kerberos ticket. The Kerberos session key would then get mixed in (as a semi-static secret)
> to the ECDHE shared secret and both client and server would obtain mutual authentication (based on the Kerberos key).

Yes, that is nice and orthogonal.  However, we do need the entropy of
ECDHE and server random to be mixed in with the Authenticator to make
replay undoable.  The best way to do that orthogonally is to rely on a
hash of prior exchanges, which is not possible, at least under 1.2, with
structures that mix Diffie-Hellman and PSK fields.  Combined with this
being a variation of PSK, I would expect it to lead to more exceptional
code than what is being proposed as 3) and 4) -- and exceptional code
often is badly-tested code.


> It may be best to try and fit Kerberos into this existing mechanism, unless there is some fundamental incompatibility.

I follow the same line of thought, but think integration with the
ClientCertificate / ClientVerify is more natural.  Tickets are not just
keys, they also carry identity, and bind them together.  Once again, the
reasoning is that this directs the questions to a TLS stack to the right
place, without a need to bypass it to elsewhere for this one usecase.

Thanks!
 -Rick

v2.23.0 | Report a Bug | By Email