Re: [TLS] I-D: CipherSuites for Kerberos + DH
Watson Ladd <watsonbladd@gmail.com> Sun, 11 October 2015 13:46 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47B9F1A89F9 for <tls@ietfa.amsl.com>; Sun, 11 Oct 2015 06:46:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y3_7pbo6Jxwv for <tls@ietfa.amsl.com>; Sun, 11 Oct 2015 06:46:06 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 153A41A895E for <tls@ietf.org>; Sun, 11 Oct 2015 06:46:05 -0700 (PDT)
Received: by wicgb1 with SMTP id gb1so22073710wic.1 for <tls@ietf.org>; Sun, 11 Oct 2015 06:46:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=L3QTVpZjJ/Ckcw0CsONCW8mg/uIurkEWgExZ1CPWUcY=; b=OcPfCIGwjHTTzJK2hXE9yqFL3GFzTsyVqwBrAXzG5jGpr14Wffr1q0c6N9YR0XLEmZ UxNGoIrzSVZca5MyyCmHvKFvZlr3O/oEJmJOeWQA3J6aZQAd+WqLjOMJBJanGeKu7KJ6 c3h9MDyVwif82O5wnLLF6WKtnl+vZPt6KRD2vfsv3tmP3UPqy2RhYfVPuKpMLY+HM1ep gRlbf2wCRQhsuSnhX7Yga9kz+lDexg0ok5Mi8hB+Cx6QOnzeMpfDNpv2Nc8mePhtEsgn BqXc9WM2mPrtNXYMm2w3zdLNez3K3+bnT4UXkW7RJrp2yZP8xuThQGJWnvVq44bQuVi2 RUNQ==
MIME-Version: 1.0
X-Received: by 10.180.105.135 with SMTP id gm7mr8987969wib.18.1444571163567; Sun, 11 Oct 2015 06:46:03 -0700 (PDT)
Received: by 10.28.51.145 with HTTP; Sun, 11 Oct 2015 06:46:03 -0700 (PDT)
In-Reply-To: <20151011121701.GA26616@LK-Perkele-V2.elisa-laajakaista.fi>
References: <561A0ED6.1000505@openfortress.nl> <20151011121701.GA26616@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Sun, 11 Oct 2015 09:46:03 -0400
Message-ID: <CACsn0c=0dFpaRyiSsErVg_2cuco6M8mMgMS3YHLpxYEuH_82kw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/lx5wYXL1IK9of20Z7uul6tqWv74>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D: CipherSuites for Kerberos + DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Oct 2015 13:46:07 -0000
On Sun, Oct 11, 2015 at 8:17 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Sun, Oct 11, 2015 at 09:25:10AM +0200, Rick van Rein wrote: >> > *From:* internet-drafts@ietf.org >> > >> > Name: draft-vanrein-tls-kdh >> > Revision: 00 >> >> Hello TLS WG, >> >> I would like to propose new CipherSuites for TLS. The cryptography is >> founded on Kerberos authentication and DH encryption, cryptographically >> bound together. The mechanism uses mutual authentication, although >> clients may use anonymous tickets. >> >> Any feedback that you may have (technical, or WG-procedural) is kindly >> welcomed. I will also send this to the Kitten WG. > > Some quick comments: > - The signed DH share does not look to be bound to anything (crypto > parameters negotiation, randoms, server key exchange, etc..). I can't > offhand say what that would lead to, but it looks even worse than > TLS ServerKeyExchange, which has known vulernabilities due to > lack of binding to things like ciphersuite. > - The ciphersuite list looks bad: 1) IDEA (bad idea), CBC > (don't use), apparent SHA-1 prf-hash (REALLY bad idea)[1][2]. > - Even use of DH is questionable. I would suggest piggybacking on the PSK mode, using the key Kerberos provides at both ends as the PSK key. This would address all of these issues in TLS 1.3 Sincerely, Watson
- [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Ilari Liusvaara
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Watson Ladd
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Eric Rescorla
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Paul Wouters
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Hugo Krawczyk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Ilari Liusvaara
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Benjamin Kaduk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Benjamin Kaduk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Watson Ladd