Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)

"Matthew A. Miller" <linuxwolf+ietf@outer-planes.net> Thu, 17 May 2018 22:17 UTC

Return-Path: <linuxwolf+ietf@outer-planes.net>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B4E312D886 for <tram@ietfa.amsl.com>; Thu, 17 May 2018 15:17:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outer-planes-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id en0409fsoFoS for <tram@ietfa.amsl.com>; Thu, 17 May 2018 15:17:47 -0700 (PDT)
Received: from mail-ot0-x231.google.com (mail-ot0-x231.google.com [IPv6:2607:f8b0:4003:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 167F312EBA5 for <tram@ietf.org>; Thu, 17 May 2018 15:17:47 -0700 (PDT)
Received: by mail-ot0-x231.google.com with SMTP id l22-v6so6885858otj.0 for <tram@ietf.org>; Thu, 17 May 2018 15:17:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outer-planes-net.20150623.gappssmtp.com; s=20150623; h=sender:subject:to:cc:references:from:openpgp:autocrypt:message-id :date:user-agent:mime-version:in-reply-to; bh=ltOc9ClUN36iLw7FYNAcXJK4NUbwqL+8bPFeKFefqE4=; b=W/gQGjXOLIckG01ZSb0xdtXVFnmLGoJDIrwRPZbDcyowLYmhfFTtNG0BuigWiSIL1y vZ4XP5UdlD9BIMqspRWJQbsWck0ZvJwS2O4pG7tZ5A9hoTvXR8A5u8eer4P2S379MPol xvyrzna35rfYkE9F4IA0wLO6sUOVkccEVpH07+Aab6bpk5YQj/3lZ9v+BQwHInhiCDtT nPvZ3n5rwi4tBxXGuuQ6Nub7u3P4xgUw0WlbklJGcYR9JEWqws00KUle2foZn5VT2+gm zQocxGuXP+evkPU/atzXXbApfH/O15a7N8pwrHuCC+VN9+QPs5i4UR580C4Eq/CZ9MvQ 5zyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:cc:references:from:openpgp :autocrypt:message-id:date:user-agent:mime-version:in-reply-to; bh=ltOc9ClUN36iLw7FYNAcXJK4NUbwqL+8bPFeKFefqE4=; b=YcIiNA74tYEGmYkSx0xax8j3mlQbHDfEkbjjHxC/yxFlCvJvYRau2Lri6cqG2/YDZk 2LEE61xqoi4HfeUQSMMCymKpS7o/edTk8hnXHVX/ud7tCUbxVJ2aAc2BrcX3+rVl9szl o2qHUkJF9g3ieHM6Y+yTzFZPcUHWrMyYIFEy+tE7FIyrHpY+j2GKlSFU82I8pPi27h4+ xJahtt3Y4TUumpseKPEzSDPHREFKkm07oH1z3LS1xVjZaEfANMOUn1WYW66cgbMrzcue eKhT4qiLrax4jP6JzuR6D77b6pIk2zAm1FYHvwstr03UFN9ZeVCzOXky0/2V5K2hgQC6 kTjQ==
X-Gm-Message-State: ALKqPwdFQqmoCaHG5ob1d1b+cRttS01NZ1YGfZAYJaVOZsoWbtfjtkmz XdbVW6ysATSwT5YB4R5hFHZxIA==
X-Google-Smtp-Source: AB8JxZrQ211SxVipIIVosvynIIHPJEdbGg/4Y86tW1WbH4eitVIPs2kVZ6QeXkwkBo6YqmHba2hMHQ==
X-Received: by 2002:a9d:e28:: with SMTP id c37-v6mr5234999otc.251.1526595466306; Thu, 17 May 2018 15:17:46 -0700 (PDT)
Received: from [10.6.21.160] ([128.177.113.102]) by smtp.gmail.com with ESMTPSA id r48-v6sm5691074otb.51.2018.05.17.15.17.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 May 2018 15:17:45 -0700 (PDT)
Sender: Matthew Miller <linuxwolf@outer-planes.net>
To: Benjamin Kaduk <kaduk@mit.edu>, Eric Rescorla <ekr@rtfm.com>
Cc: Brandon Williams <brandon.williams@akamai.com>, Marc Petit-Huguenin <petithug@acm.org>, tram-chairs@ietf.org, tram@ietf.org, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, tasveren@rbbn.com, The IESG <iesg@ietf.org>, draft-ietf-tram-stunbis@ietf.org
References: <152390863222.19652.10310304989315386136.idtracker@ietfa.amsl.com> <c0a06754-6f8c-97dc-7f7e-26a7df43e842@acm.org> <31a441d2-8843-c8ee-f5ef-5496e5b4b364@acm.org> <CABcZeBO+2LG4-1-dhzTTSJFH6uhJdSEKLjyVfxO+krzHR8ueQw@mail.gmail.com> <29c18858-3694-c48a-54c3-6dcbfa3b6705@acm.org> <20180515182435.GN2249@kduck.kaduk.org> <25e551de-87b7-1612-c869-8336fe3c4b95@akamai.com> <CABcZeBN+sgdH5a56zWTHm-=PD3vJ_DzSyPZYF=S5Bt3i_ATvBw@mail.gmail.com> <20180517203337.GN2249@kduck.kaduk.org>
From: "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
Openpgp: preference=signencrypt
Autocrypt: addr=linuxwolf+ietf@outer-planes.net; prefer-encrypt=mutual; keydata= xsBNBFJoAooBCADQmEtpbpY/4wTeKgZIuyG7HkxIFgiUeqOvtiBKj/pCA73d7Q5hCvQdGcKJ 6uZsYz3Il9oKoKFxVt90iEXspbE39g6ek19e6RsB4j0Q10l4QvH+EqeD760gs0H2yf/eYj9i uk9/VY6axdQlPsmid1zoQgCNjSM7X4/K26WGMs03sbXJpKdoonelzIlJSNfzi0q546iplo72 D2cCm9BriMkQvcGnsm4B9eBIBn3GKmVx1tsmPNeNTyun2DvaLnrYxbA0Ivo1DzZReds9NZ25 uROI/+b+lcg9/kmHzhK+q8NMQCFWmqpS/lZRKxVBSijKGpGr5h8VLVf5iURHtwG+B/QxABEB AAHNLk1hdHRoZXcgQS4gTWlsbGVyIDxsaW51eHdvbGZAb3V0ZXItcGxhbmVzLm5ldD7CwIAE EwEKACoCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFCQvHJDEFAlirCeQCGQEACgkQ7PRy ThCeBbt+sAgAzUQokr+f+ArieIrv2JkiQLqiBaZX29Aph9YwG3OPLWSdESEKkFOSJT0LWbsC cAKHLrVfgl2+6iPhf4OOacTdqK7wS6vruPZC1ChdO7NZTgbVa0hP/Q/QKEoaMGNdfc1/lgxY 5kwh+bvGIF1+HyadytgCBBHxdVEhYI7G3ejKqA8iVwri1VW0Wjp8iWdjpF74swIHhid5GcAu 6VJgVNJw3P+WkTkNrkd2tx5yUfNXQuGyFhxwlpiuaOpIk3p74P6e8h/riMpkJ5mIH/ryGTH7 qxpEIuep2bLQZmGwBen8kf3MO/VbiA/NMY6OHdc93EBKr0g7n2BA5uFLdy79FqAA3M7ATQRS aAKKAQgAwP67h8GJUO6XYyWOrcJGXDJnnZEDS+q+bTQXkJMFa74rVIx0yioqY8QdpBJFGaMT 4DCNYe/3pw61ZTDDKqukSCfOh/ssdd8zSGTQZSX5lR4B4+00/LKWugP6iHHHYiETbBVb5bxc aR/LE41Wx3z2HsW3TkeZB6WVk82MTclS1zCuY3p9AeCvr424BSQL7KC38y2eQc95G+nabsVD c6oQ8oZOf1D2giBb2VgbYkSppKj8BKvBtmjCauWeEq/AkZKaDAdua8Qj0vEfgcoh8aavlPJi rqj1YNSyc3AO4R5prPGgTepcUpW8ip8xIPAFoJXfuvsZSV7uVP36gwApU4+ZnwARAQABwsB8 BBgBCgAmAhsMFiEEMddYjeyQaQ1rzJjg7PRyThCeBbsFAlpvpIsFCQvLWoEACgkQ7PRyThCe BbuNHAf/cchJ7kHoIr5i+jgVRuR71AGlxlMbVolnS5tza3bi9Ie63LRdOtMUE3pDUQo25cWd cP7pzwwRBCDD2GxfIuyMCWaES0xtQdTIyNOAFFOtBtCFOrsNEk+iLAu6GBr4QzSQKW1QW4/b vcfpM2pLQn7Zd6naUioEYfTHCMmYHr7hQXaPNEQ7V/J4pLVAN8bHyVgQ9ciQN91DUs6jnueM BUW7DNvuHq0RDzA+ufYdpQAjwl4z1v+rnJ79P3HTxfFdiTTAk9MjyVQklHxS067cmLYkSOku dnCOHhDmSFwkKd9EwOBNuztpjCzmM5SgOT+U/iHH+IM/Hv6bjVCiAQ5WOihe6Q==
Message-ID: <6710a82f-3857-7b06-c253-73674d65d323@outer-planes.net>
Date: Thu, 17 May 2018 16:17:44 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <20180517203337.GN2249@kduck.kaduk.org>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="x0fDX7NgQQW9TD5HqhA72mtky1fUzH1zz"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/GYsHHUZzdRlzkqfuFaE7OeUu1Ms>
X-Mailman-Approved-At: Fri, 18 May 2018 10:29:12 -0700
Subject: Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 22:17:50 -0000

On 18/05/17 14:33, Benjamin Kaduk wrote:
> On Thu, May 17, 2018 at 01:22:04PM -0700, Eric Rescorla wrote:
>> On Thu, May 17, 2018 at 1:04 PM, Brandon Williams <
>> brandon.williams@akamai.com> wrote:
>>
>>>
>>> That having been said, I'm having trouble reconciling Ekr's "I don't see
>>> how a weakness in MD5 is relevant here" with Matt Miller's earlier comment
>>> "I am wondering why a more robust password algorithm (key derivation
>>> function) was not defined (e.g., HKDF-SHA-256)". Matt appears to suggest
>>> that we should go farther than we have while Ekr appears to suggest that we
>>> might not need to have gone even that far.
>>>
>>> Any suggestions about path to resolution on this? Am I just completely
>>> misinterpreting the comments we've received so far?
>>>
>>
>> Well, I don't know what Matt is thinking. Perhaps he would like to weigh in?
> 
> I think this is a question of "attack over the network" vs.
> "compromised password database".  You want HKDF-SHA-256 or Argon2 or
> something like that because it makes it harder for an attacker to
> brute-force a compromised database of hashed passwords, which is
> something of a different concern than turning a string into a crypto
> key and worrying about an attacker in the network that only observes
> the ciphertext.  That is, the problem of brute-forcing the secret material
> given the network ciphertext is different from attacking the
> (hashed) password database directly.
> 
> So it seems possible that both points are relevant, just protecting
> against different things.
> 

My initial thoughts were along the lines of "compromised database",
which admittedly data-at-rest is at the top of my mind most of the time.
 The key derivations in this document are ok for how they are used.

I thought I'd backed away from that robustness point in the email
discussion that ensued from the review, as it sounded like a concern
that was out of scope for this work.  If offline attacks are in-scope
then something that makes brute force take some real work (at _a
minimum_ PBKDF2 with 10k+ iterations, or better yet use scrypt or
argon2).  If it's out-of-scope, then this needs to be called out in the
security considerations.

Otherwise, I think a valid concern to implementers is that MD5 is
getting removed from or turned-off in various base libraries and module.
 Moving away from it helps implementations avoid having to rely on older
(and potentially vulnerable/exploitable) base libraries just to keep an
algorithm around seems very worthwhile.



- m&m

Matthew A. Miller