Re: [TLS] I-D: CipherSuites for Kerberos + DH
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 11 October 2015 12:17 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D64C1A8892 for <tls@ietfa.amsl.com>; Sun, 11 Oct 2015 05:17:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7hapbnsc7cCD for <tls@ietfa.amsl.com>; Sun, 11 Oct 2015 05:17:10 -0700 (PDT)
Received: from filtteri1.pp.htv.fi (filtteri1.pp.htv.fi [213.243.153.184]) by ietfa.amsl.com (Postfix) with ESMTP id 492841A8890 for <tls@ietf.org>; Sun, 11 Oct 2015 05:17:08 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by filtteri1.pp.htv.fi (Postfix) with ESMTP id 3A8B821B896; Sun, 11 Oct 2015 15:17:07 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from smtp4.welho.com ([213.243.153.38]) by localhost (filtteri1.pp.htv.fi [213.243.153.184]) (amavisd-new, port 10024) with ESMTP id myI1AQBHDmVx; Sun, 11 Oct 2015 15:17:07 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp4.welho.com (Postfix) with ESMTPSA id 127ED5BC010; Sun, 11 Oct 2015 15:17:07 +0300 (EEST)
Date: Sun, 11 Oct 2015 15:17:01 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Rick van Rein <rick@openfortress.nl>
Message-ID: <20151011121701.GA26616@LK-Perkele-V2.elisa-laajakaista.fi>
References: <561A0ED6.1000505@openfortress.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <561A0ED6.1000505@openfortress.nl>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/he9smpD_u6RJqHTTaz4MAnYhH4c>
Cc: tls@ietf.org
Subject: Re: [TLS] I-D: CipherSuites for Kerberos + DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Oct 2015 12:17:13 -0000
On Sun, Oct 11, 2015 at 09:25:10AM +0200, Rick van Rein wrote: > > *From:* internet-drafts@ietf.org > > > > Name: draft-vanrein-tls-kdh > > Revision: 00 > > Hello TLS WG, > > I would like to propose new CipherSuites for TLS. The cryptography is > founded on Kerberos authentication and DH encryption, cryptographically > bound together. The mechanism uses mutual authentication, although > clients may use anonymous tickets. > > Any feedback that you may have (technical, or WG-procedural) is kindly > welcomed. I will also send this to the Kitten WG. Some quick comments: - The signed DH share does not look to be bound to anything (crypto parameters negotiation, randoms, server key exchange, etc..). I can't offhand say what that would lead to, but it looks even worse than TLS ServerKeyExchange, which has known vulernabilities due to lack of binding to things like ciphersuite. - The ciphersuite list looks bad: 1) IDEA (bad idea), CBC (don't use), apparent SHA-1 prf-hash (REALLY bad idea)[1][2]. - Even use of DH is questionable. [1] All the current ciphersuites have SHA-256 or SHA-384 prf-hash (the prf-hash of existing ciphers was grandfathered as SHA-256, even if the name has _SHA or _MD5). [2] AFAIK, proving security properties of TLS against active attack needs assumption that prf-hash is secure. And we know SHA-1 isn't. -Ilari
- [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Ilari Liusvaara
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Watson Ladd
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Eric Rescorla
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Paul Wouters
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Hugo Krawczyk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Ilari Liusvaara
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Benjamin Kaduk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Benjamin Kaduk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Watson Ladd