Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)

"Matthew A. Miller" <> Thu, 17 May 2018 22:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8B4E312D886 for <>; Thu, 17 May 2018 15:17:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id en0409fsoFoS for <>; Thu, 17 May 2018 15:17:47 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 167F312EBA5 for <>; Thu, 17 May 2018 15:17:47 -0700 (PDT)
Received: by with SMTP id l22-v6so6885858otj.0 for <>; Thu, 17 May 2018 15:17:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=sender:subject:to:cc:references:from:openpgp:autocrypt:message-id :date:user-agent:mime-version:in-reply-to; bh=ltOc9ClUN36iLw7FYNAcXJK4NUbwqL+8bPFeKFefqE4=; b=W/gQGjXOLIckG01ZSb0xdtXVFnmLGoJDIrwRPZbDcyowLYmhfFTtNG0BuigWiSIL1y vZ4XP5UdlD9BIMqspRWJQbsWck0ZvJwS2O4pG7tZ5A9hoTvXR8A5u8eer4P2S379MPol xvyrzna35rfYkE9F4IA0wLO6sUOVkccEVpH07+Aab6bpk5YQj/3lZ9v+BQwHInhiCDtT nPvZ3n5rwi4tBxXGuuQ6Nub7u3P4xgUw0WlbklJGcYR9JEWqws00KUle2foZn5VT2+gm zQocxGuXP+evkPU/atzXXbApfH/O15a7N8pwrHuCC+VN9+QPs5i4UR580C4Eq/CZ9MvQ 5zyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:sender:subject:to:cc:references:from:openpgp :autocrypt:message-id:date:user-agent:mime-version:in-reply-to; bh=ltOc9ClUN36iLw7FYNAcXJK4NUbwqL+8bPFeKFefqE4=; b=YcIiNA74tYEGmYkSx0xax8j3mlQbHDfEkbjjHxC/yxFlCvJvYRau2Lri6cqG2/YDZk 2LEE61xqoi4HfeUQSMMCymKpS7o/edTk8hnXHVX/ud7tCUbxVJ2aAc2BrcX3+rVl9szl o2qHUkJF9g3ieHM6Y+yTzFZPcUHWrMyYIFEy+tE7FIyrHpY+j2GKlSFU82I8pPi27h4+ xJahtt3Y4TUumpseKPEzSDPHREFKkm07oH1z3LS1xVjZaEfANMOUn1WYW66cgbMrzcue eKhT4qiLrax4jP6JzuR6D77b6pIk2zAm1FYHvwstr03UFN9ZeVCzOXky0/2V5K2hgQC6 kTjQ==
X-Gm-Message-State: ALKqPwdFQqmoCaHG5ob1d1b+cRttS01NZ1YGfZAYJaVOZsoWbtfjtkmz XdbVW6ysATSwT5YB4R5hFHZxIA==
X-Google-Smtp-Source: AB8JxZrQ211SxVipIIVosvynIIHPJEdbGg/4Y86tW1WbH4eitVIPs2kVZ6QeXkwkBo6YqmHba2hMHQ==
X-Received: by 2002:a9d:e28:: with SMTP id c37-v6mr5234999otc.251.1526595466306; Thu, 17 May 2018 15:17:46 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id r48-v6sm5691074otb.51.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 May 2018 15:17:45 -0700 (PDT)
Sender: Matthew Miller <>
To: Benjamin Kaduk <>, Eric Rescorla <>
Cc: Brandon Williams <>, Marc Petit-Huguenin <>,,, Gonzalo Camarillo <>,, The IESG <>,
References: <> <> <> <> <> <> <> <> <>
From: "Matthew A. Miller" <>
Openpgp: preference=signencrypt
Autocrypt:; prefer-encrypt=mutual; keydata= xsBNBFJoAooBCADQmEtpbpY/4wTeKgZIuyG7HkxIFgiUeqOvtiBKj/pCA73d7Q5hCvQdGcKJ 6uZsYz3Il9oKoKFxVt90iEXspbE39g6ek19e6RsB4j0Q10l4QvH+EqeD760gs0H2yf/eYj9i uk9/VY6axdQlPsmid1zoQgCNjSM7X4/K26WGMs03sbXJpKdoonelzIlJSNfzi0q546iplo72 D2cCm9BriMkQvcGnsm4B9eBIBn3GKmVx1tsmPNeNTyun2DvaLnrYxbA0Ivo1DzZReds9NZ25 uROI/+b+lcg9/kmHzhK+q8NMQCFWmqpS/lZRKxVBSijKGpGr5h8VLVf5iURHtwG+B/QxABEB AAHNLk1hdHRoZXcgQS4gTWlsbGVyIDxsaW51eHdvbGZAb3V0ZXItcGxhbmVzLm5ldD7CwIAE EwEKACoCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFCQvHJDEFAlirCeQCGQEACgkQ7PRy ThCeBbt+sAgAzUQokr+f+ArieIrv2JkiQLqiBaZX29Aph9YwG3OPLWSdESEKkFOSJT0LWbsC cAKHLrVfgl2+6iPhf4OOacTdqK7wS6vruPZC1ChdO7NZTgbVa0hP/Q/QKEoaMGNdfc1/lgxY 5kwh+bvGIF1+HyadytgCBBHxdVEhYI7G3ejKqA8iVwri1VW0Wjp8iWdjpF74swIHhid5GcAu 6VJgVNJw3P+WkTkNrkd2tx5yUfNXQuGyFhxwlpiuaOpIk3p74P6e8h/riMpkJ5mIH/ryGTH7 qxpEIuep2bLQZmGwBen8kf3MO/VbiA/NMY6OHdc93EBKr0g7n2BA5uFLdy79FqAA3M7ATQRS aAKKAQgAwP67h8GJUO6XYyWOrcJGXDJnnZEDS+q+bTQXkJMFa74rVIx0yioqY8QdpBJFGaMT 4DCNYe/3pw61ZTDDKqukSCfOh/ssdd8zSGTQZSX5lR4B4+00/LKWugP6iHHHYiETbBVb5bxc aR/LE41Wx3z2HsW3TkeZB6WVk82MTclS1zCuY3p9AeCvr424BSQL7KC38y2eQc95G+nabsVD c6oQ8oZOf1D2giBb2VgbYkSppKj8BKvBtmjCauWeEq/AkZKaDAdua8Qj0vEfgcoh8aavlPJi rqj1YNSyc3AO4R5prPGgTepcUpW8ip8xIPAFoJXfuvsZSV7uVP36gwApU4+ZnwARAQABwsB8 BBgBCgAmAhsMFiEEMddYjeyQaQ1rzJjg7PRyThCeBbsFAlpvpIsFCQvLWoEACgkQ7PRyThCe BbuNHAf/cchJ7kHoIr5i+jgVRuR71AGlxlMbVolnS5tza3bi9Ie63LRdOtMUE3pDUQo25cWd cP7pzwwRBCDD2GxfIuyMCWaES0xtQdTIyNOAFFOtBtCFOrsNEk+iLAu6GBr4QzSQKW1QW4/b vcfpM2pLQn7Zd6naUioEYfTHCMmYHr7hQXaPNEQ7V/J4pLVAN8bHyVgQ9ciQN91DUs6jnueM BUW7DNvuHq0RDzA+ufYdpQAjwl4z1v+rnJ79P3HTxfFdiTTAk9MjyVQklHxS067cmLYkSOku dnCOHhDmSFwkKd9EwOBNuztpjCzmM5SgOT+U/iHH+IM/Hv6bjVCiAQ5WOihe6Q==
Message-ID: <>
Date: Thu, 17 May 2018 16:17:44 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="x0fDX7NgQQW9TD5HqhA72mtky1fUzH1zz"
Archived-At: <>
X-Mailman-Approved-At: Fri, 18 May 2018 10:29:12 -0700
Subject: Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 May 2018 22:17:50 -0000

On 18/05/17 14:33, Benjamin Kaduk wrote:
> On Thu, May 17, 2018 at 01:22:04PM -0700, Eric Rescorla wrote:
>> On Thu, May 17, 2018 at 1:04 PM, Brandon Williams <
>>> wrote:
>>> That having been said, I'm having trouble reconciling Ekr's "I don't see
>>> how a weakness in MD5 is relevant here" with Matt Miller's earlier comment
>>> "I am wondering why a more robust password algorithm (key derivation
>>> function) was not defined (e.g., HKDF-SHA-256)". Matt appears to suggest
>>> that we should go farther than we have while Ekr appears to suggest that we
>>> might not need to have gone even that far.
>>> Any suggestions about path to resolution on this? Am I just completely
>>> misinterpreting the comments we've received so far?
>> Well, I don't know what Matt is thinking. Perhaps he would like to weigh in?
> I think this is a question of "attack over the network" vs.
> "compromised password database".  You want HKDF-SHA-256 or Argon2 or
> something like that because it makes it harder for an attacker to
> brute-force a compromised database of hashed passwords, which is
> something of a different concern than turning a string into a crypto
> key and worrying about an attacker in the network that only observes
> the ciphertext.  That is, the problem of brute-forcing the secret material
> given the network ciphertext is different from attacking the
> (hashed) password database directly.
> So it seems possible that both points are relevant, just protecting
> against different things.

My initial thoughts were along the lines of "compromised database",
which admittedly data-at-rest is at the top of my mind most of the time.
 The key derivations in this document are ok for how they are used.

I thought I'd backed away from that robustness point in the email
discussion that ensued from the review, as it sounded like a concern
that was out of scope for this work.  If offline attacks are in-scope
then something that makes brute force take some real work (at _a
minimum_ PBKDF2 with 10k+ iterations, or better yet use scrypt or
argon2).  If it's out-of-scope, then this needs to be called out in the
security considerations.

Otherwise, I think a valid concern to implementers is that MD5 is
getting removed from or turned-off in various base libraries and module.
 Moving away from it helps implementations avoid having to rely on older
(and potentially vulnerable/exploitable) base libraries just to keep an
algorithm around seems very worthwhile.

- m&m

Matthew A. Miller