IETF Logo Mail Archive

Re: [TLS] I-D: CipherSuites for Kerberos + DH

Rick van Rein <rick@openfortress.nl> Mon, 12 October 2015 05:14 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44C941B3150 for <tls@ietfa.amsl.com>; Sun, 11 Oct 2015 22:14:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rn1VkiI8qveu for <tls@ietfa.amsl.com>; Sun, 11 Oct 2015 22:14:12 -0700 (PDT)
Received: from lb1-smtp-cloud2.xs4all.net (lb1-smtp-cloud2.xs4all.net [194.109.24.21]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A63CE1B314D for <tls@ietf.org>; Sun, 11 Oct 2015 22:14:11 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id U5E71r00D10HQrX015E83i; Mon, 12 Oct 2015 07:14:09 +0200
Message-ID: <561B419D.4010009@openfortress.nl>
Date: Mon, 12 Oct 2015 07:14:05 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Watson Ladd <watsonbladd@gmail.com>
References: <561A0ED6.1000505@openfortress.nl> <20151011121701.GA26616@LK-Perkele-V2.elisa-laajakaista.fi> <CACsn0c=0dFpaRyiSsErVg_2cuco6M8mMgMS3YHLpxYEuH_82kw@mail.gmail.com>
In-Reply-To: <CACsn0c=0dFpaRyiSsErVg_2cuco6M8mMgMS3YHLpxYEuH_82kw@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/l0XapVincT1AHgodxMOiLeOHY7c>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D: CipherSuites for Kerberos + DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2015 05:14:14 -0000

Hello,

Thanks for the feedback.  Responding to it:

Ilari>   - The signed DH share does not look to be bound to anything (crypto
Ilari>   parameters negotiation, randoms, server key exchange, etc..).

This is indeed easy to miss; it relies on Kerberos infra to deliver a
short-lived session key to only the proper TLS client and TLS server.
The ticket is part of this key delivery, and can travel over untrusted
networks.

An Authenticator is built especially for each connection, and encrypted
with the session key by the TLS client.  The only other that can decrypt
it is the TLS server.  With the client DH key only known to TLS client
and TLS server, only they can construct the DH shared secret.

What remains is MITM on the server side.  This is detected when the
Finished messages are off (these have more bytes for TLS-KDH).

A alternative option to fighting MITM could be to include (a hash of)
the server-sent DH offer in the Authenticator.  Only the Kerberos-
authenticated TLS server can decrypt it, making it detect MITM.  Is
that considered benefial?

Ilari>   I can't
Ilari>   offhand say what that would lead to, but it looks even worse than
Ilari>   TLS ServerKeyExchange, which has known vulernabilities due to
Ilari>   lack of binding to things like ciphersuite.

Have I taken away these concerns?  Pointers to the known vulnerabilities
are welcome, of course.  I'm not sure what you would like to bind to
CipherSuites.

Watson>   I would suggest piggybacking on the PSK mode, using the key Kerberos
Watson>   provides at both ends as the PSK key. This would address all of these
Watson>   issues in TLS 1.3

You mean to add the short-lived session key to the pre-master secret, right?

I have a (weak) preference to leave that key behind the API to help
it being better protected.  Also, I don't think it adds much to
the security explained above.

It might be an idea to add protected fields from the Authenticator though,
such as the usec timestamp, seq-number, client name@realm.

Ilari>   - The ciphersuite list looks bad: 1) IDEA (bad idea), CBC
Ilari>   (don't use), apparent SHA-1 prf-hash (REALLY bad idea)[1][2].

Yes, this is a naive/initial list, I knew I would need to interact here
to get it pruned.  Thanks, your suggestions will be taken care of!

Ilari>   - Even use of DH is questionable.

This is mod-exp DH, on account of its need for very large keys, right?

I would love to take it out, and only leave ECDH; I put up mod-exp DH
initially because it might be desired for backward compatibility.  If
I hear no warm-felt desire for mod-exp DH I will gladly remove it.


Thanks!
 -Rick

v2.23.0 | Report a Bug | By Email