IETF Logo Mail Archive

Re: [TLS] GSS-API extension draft available

Jeffrey Altman <jaltman@secure-endpoints.com> Wed, 20 December 2006 12:44 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gx0o1-0002Fo-Sl; Wed, 20 Dec 2006 07:44:21 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gx0o0-0002Fa-29 for tls@ietf.org; Wed, 20 Dec 2006 07:44:20 -0500
Received: from ms-smtp-01.rdc-nyc.rr.com ([24.29.109.5]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gx0ny-0006LJ-QM for tls@ietf.org; Wed, 20 Dec 2006 07:44:20 -0500
Received: from www.secure-endpoints.com (cpe-68-175-93-48.nyc.res.rr.com [68.175.93.48]) by ms-smtp-01.rdc-nyc.rr.com (8.13.6/8.13.6) with ESMTP id kBKCiF4Z015263 for <tls@ietf.org>; Wed, 20 Dec 2006 07:44:16 -0500 (EST)
Received: from [192.168.1.13] by secure-endpoints.com (Cipher TLSv1:RC4-MD5:128) (MDaemon PRO v9.5.3) with ESMTP id md50000038322.msg for <tls@ietf.org>; Wed, 20 Dec 2006 07:45:39 -0500
Message-ID: <4589306D.5030809@secure-endpoints.com>
Date: Wed, 20 Dec 2006 07:45:33 -0500
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Organization: Secure Endpoints Inc.
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: bmoeller@acm.org
Subject: Re: [TLS] GSS-API extension draft available
References: <45883A8F.1090801@secure-endpoints.com> <200612192026.VAA21427@uw1048.wdf.sap.corp> <20061220122616.GA21201@tau.invalid>
In-Reply-To: <20061220122616.GA21201@tau.invalid>
X-Enigmail-Version: 0.94.1.2
X-Authenticated-Sender: jaltman@secure-endpoints.com
X-Spam-Processed: www.secure-endpoints.com, Wed, 20 Dec 2006 07:45:39 -0500 (not processed: message from valid local sender)
X-Return-Path: jaltman@secure-endpoints.com
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: tls@ietf.org
X-Virus-Scanned: Symantec AntiVirus Scan Engine
X-Spam-Score: 0.1 (/)
X-Scan-Signature: b22590c27682ace61775ee7b453b40d3
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: jaltman@secure-endpoints.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1600229398=="
Errors-To: tls-bounces@lists.ietf.org

Bodo Moeller wrote:
> It appears to me that when we use the GSS-API PRF for Kerberos V 
> (RFC 4402) as suggested in draft-santesson-tls-gssapi-01.txt, we have
> solved the wrong problem.  Using the PRF will give use a unique
> premaster secret for each session, which we don't really need.  Using
> the PRF will not include any additional *secret* entropy, which is what
> we actually need -- at least if the main worry is the lack of entropy in
> the Kerberos session key.
> 
> I may have misunderstood what the proposed GSS-API based handshake would
> be doing in the Kerberos V case.  But if it works the way I think it
> works (without mixing in secret entropy from a key exchange such as
> DH/ECDH), then to improve the level of security compared with RFC 2712
> as apparently is desired, we'd still have to perform an immediate
> renegotiation to benefit from an appropriate key exchange mechanism.
> 
> Bodo

Currently the input to the GSS PRF would be:

OM_uint32  minor_status;
gss_ctx_id_t  gss_context;
gss_buffer_t  prf_in;
gss_buffer_t  prf_out;
ssize_t       output_len = sizeof(pre-master-secret);

GSS_Pseudo_random( &minor_status,
  		   gss_context,
		   GSS_C_PRF_KEY_FULL,
		   prf_in,
	           output_len,
                   prf_out);
		
where prf_in is the concatenation of all of the previous TLS messages
in the exchange up until the completion of the GSS handshake:

  prf_in = ClientHello || ServerHello || ....

What I hear you saying is that we should add an ephemeral-ephemeral DH
exchange in which case the prf_in will become:

  prf_in = g^xy mod p || ClientHello || ServerHello || ....

where g^xy mod p is the DH key.


Correct?

Jeffrey Altman

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.46.0 | Report a Bug | By Email | System Status