Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)

Brandon Williams <brandon.williams@akamai.com> Thu, 17 May 2018 20:05 UTC

Return-Path: <brandon.williams@akamai.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C47A412711D; Thu, 17 May 2018 13:05:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id imjUACC8ly7h; Thu, 17 May 2018 13:04:59 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7300F1270B4; Thu, 17 May 2018 13:04:59 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w4HK2Fdu009040; Thu, 17 May 2018 21:04:46 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=jan2016.eng; bh=AWGLwp3H4Jl5dKIcJTzejypfjSws2xFNdqp4Ptjwl+E=; b=UVrVOJgXmbXb9Eo4T5xnU5Zd60U3Ti+Xoc4eomf2TNpJKwaGm+3+MhCarpFCrdCgVWlL 8+JDWHF95+NrtN6NHeSj1RWpFbACkMjYYGG4pojxNsa4JU29fvzLlvYVE+r8WI9n5n/A gE5pEjuJLh/sJ1Z7dAH5jlB589eBrz7nrg8KLBIqPeOJ9CEwHkOXdiVuZdcJKwS9fzFM nGh16iZXaq7e9FYfvmDzOrG54qNRS3LBiffLaHsBFc0j5eXvykU8nsYkW4aWEj0PDhjW bhE+f2MePogSzyg/cl1PCBg1CD1PBvY0N5ZiUXxdmGTdogOvk8xQ6G2ETVag/4VA27ld Pg==
Received: from prod-mail-ppoint4 ([96.6.114.87]) by m0050096.ppops.net-00190b01. with ESMTP id 2j0fscdbu9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 17 May 2018 21:04:46 +0100
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w4HK1aRv023047; Thu, 17 May 2018 16:04:45 -0400
Received: from prod-mail-relay15.akamai.com ([172.27.17.40]) by prod-mail-ppoint4.akamai.com with ESMTP id 2hwukxe2bd-1; Thu, 17 May 2018 16:04:45 -0400
Received: from [172.28.116.218] (bowill.kendall.corp.akamai.com [172.28.116.218]) by prod-mail-relay15.akamai.com (Postfix) with ESMTP id 928DA20064; Thu, 17 May 2018 20:04:44 +0000 (GMT)
To: Benjamin Kaduk <kaduk@mit.edu>, Marc Petit-Huguenin <petithug@acm.org>
Cc: tram-chairs@ietf.org, Eric Rescorla <ekr@rtfm.com>, tram@ietf.org, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, tasveren@rbbn.com, The IESG <iesg@ietf.org>, draft-ietf-tram-stunbis@ietf.org, "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
References: <152390863222.19652.10310304989315386136.idtracker@ietfa.amsl.com> <c0a06754-6f8c-97dc-7f7e-26a7df43e842@acm.org> <31a441d2-8843-c8ee-f5ef-5496e5b4b364@acm.org> <CABcZeBO+2LG4-1-dhzTTSJFH6uhJdSEKLjyVfxO+krzHR8ueQw@mail.gmail.com> <29c18858-3694-c48a-54c3-6dcbfa3b6705@acm.org> <20180515182435.GN2249@kduck.kaduk.org>
From: Brandon Williams <brandon.williams@akamai.com>
Message-ID: <25e551de-87b7-1612-c869-8336fe3c4b95@akamai.com>
Date: Thu, 17 May 2018 16:04:42 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <20180515182435.GN2249@kduck.kaduk.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-05-17_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805170185
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-05-17_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805170185
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/Qqmg8CritFcAa0unecgwjhYcYDs>
X-Mailman-Approved-At: Fri, 18 May 2018 10:29:12 -0700
Subject: Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 20:05:03 -0000

I'll take a stab at describing the working group discussion, but please 
keep in mind that my recollection of this is faint ... it was a few 
years ago at this point.

The working group started with a fundamental assumption that we should 
be moving away from MD5 for the purpose of key generation. I don't 
recall the WG having any detailed discussion of whether using MD5 here 
is a real security weakness in the protocol; had Ekr suggested at the 
mic that MD5 weakness might not actually be a problem we quite possibly 
would have chosen not to make any change to key derivation at all.

So, working from the basic assumption that we should be moving away from 
MD5 for key derivation, it seemed only natural that we should be 
attempting to prevent an adversary from forcing downgrade back to MD5 
via a bid-down attack as a way to weaken key derivation. After all, if 
preventing bid-down is not important then the same logic seems to 
suggest that moving away from MD5 at all is not important.

I know that's not a very satisfying answer to the question of how we got 
here, but it represents my best recollection nonetheless.

That having been said, I'm having trouble reconciling Ekr's "I don't see 
how a weakness in MD5 is relevant here" with Matt Miller's earlier 
comment "I am wondering why a more robust password algorithm (key 
derivation function) was not defined (e.g., HKDF-SHA-256)". Matt appears 
to suggest that we should go farther than we have while Ekr appears to 
suggest that we might not need to have gone even that far.

Any suggestions about path to resolution on this? Am I just completely 
misinterpreting the comments we've received so far?

--Brandon

On 05/15/2018 02:24 PM, Benjamin Kaduk wrote:
> I think I have the same understanding as Ekr, in which case the
> bid-down concerns apply only to message integrity and not to
> password-algorithm.
> 
> So it would be good to hear from the WG on this issue.
> 
> -Benjamin
> 
> On Mon, May 14, 2018 at 01:06:00PM -0700, Marc Petit-Huguenin wrote:
>> During the discussion about choosing password algorithms, someone came to the microphone (AFAIR) and said that it was subject to bid-down attack.  We then design a solution to prevent that and that's what, after more discussions, we put in the draft.  So I welcome any comment on the strength or weakness of the protection offered by the scheme we put in place and any suggestion to make it better, but as for the reasons it is there you will have to talk to the Working Group.
>>
>> Thanks.
>>
>> On 05/03/2018 04:45 PM, Eric Rescorla wrote:
>>> No, I don't understand this at all. This section talks about a bid-down on
>>> the PASSWORD-ALGORITHM, but I don't see how a weakness in MD5 is relevant
>>> here.
>>>
>>> Assuming I understand correctly, the structure of the protocol is that
>>> given a password, you do:
>>>
>>>     key = Password-Algorithm(username, realm, password)
>>>
>>> And then use key with HMAC for an integrity check, where HMAC is SHA-1
>>> (with MESSAGE-INTEGRITY) or SHA-256 (with MESSAGE-INTEGRITY-SHA256).
>>> However, in this case the MD5 isn't a security critical component at the
>>> protocol layer [0], because it's just is just to act as a transformation of
>>> the password into a fixed-length string for use as a key, so this doesn't
>>> require collision resistance or pseudorandomness. I could be wrong here,
>>> but if so, please describe a potential weakness in MD5 which could lead to
>>> compromise of this protocol
>>>
>>> -Ekr
>>>
>>> [0] It might be an issue if someone were to recover the hashed password.
>>>
>>> On Thu, May 3, 2018 at 4:34 PM, Marc Petit-Huguenin <petithug@acm.org>
>>> wrote:
>>>
>>>> On 04/22/2018 02:02 PM, Marc Petit-Huguenin wrote:
>>>>> Hi Eric,
>>>>>
>>>>> Thanks for the review, please see my responses inline.
>>>>>
>>>>> On 04/16/2018 12:57 PM, Eric Rescorla wrote:
>>>>>> Eric Rescorla has entered the following ballot position for
>>>>>> draft-ietf-tram-stunbis-16: Discuss
>>>>>>
>>>>>> When responding, please keep the subject line intact and reply to all
>>>>>> email addresses included in the To and CC lines. (Feel free to cut this
>>>>>> introductory paragraph, however.)
>>>>>>
>>>>>>
>>>>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.
>>>> html
>>>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>>>>
>>>>>>
>>>>>> The document, along with other ballot positions, can be found here:
>>>>>> https://datatracker.ietf.org/doc/draft-ietf-tram-stunbis/
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----------------------------------------------------------------------
>>>>>> DISCUSS:
>>>>>> ----------------------------------------------------------------------
>>>>>>
>>>>>> Rich version of this review at:
>>>>>> https://mozphab-ietf.devsvcdev.mozaws.net/D5132
>>>>>>
>>>>>>
>>>>>> Can you please indicate how you addressed the points Matt Miller
>>>>>> raised in his secdir review about the use of MD5.
>>>>>
>>>>>  From my response on 2018-03-11:
>>>>>
>>>>>> * The description for 17.5.1. "MD5" list the key size as 20 bytes, but
>>>> the
>>>>>> hash length of MD5 is 16 bytes (128 bits).  I think this is merely a
>>>> typo,
>>>>>> since the purpose appears to be for backwards compatibility with
>>>> existing
>>>>>> systems.
>>>>>
>>>>> Fixed.
>>>>>
>>>>>>
>>>>>> * Both 17.5.1.1. "MD5" Section 9.2.2. "HMAC Key" (long-term credential)
>>>>>> and Section appear to define the same functional algorithm, but with
>>>> subtle
>>>>>> syntax differences.  As far as I can tell, they are actually the same
>>>>>> algorithm; would it not be acceptable to have Section 9.2.2 point to
>>>>>> Section 17.5.1.1 for the algorithm description?
>>>>>>
>>>>>>
>>>>>
>>>>> This is going into the IANA registry so I left things there.  I fixed
>>>> the discrepancy with section 9.2.2.
>>>>>
>>>>> I also fixed the definition of the key for SHA-256, which must use
>>>> OpaqueString for the realm.
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> DETAIL
>>>>>>>       by the agent sending the indication.  It primarily serves to
>>>>>>>       correlate requests with responses, though it also plays a small
>>>> role
>>>>>>>       in helping to prevent certain types of attacks.  The server also
>>>> uses
>>>>>>>       the transaction ID as a key to identify each transaction uniquely
>>>>>>>       across all clients.  As such, the transaction ID MUST be uniformly
>>>>>>>       and randomly chosen from the interval 0 .. 2**96-1, and SHOULD be
>>>>>>
>>>>>> I didn't realize this was a SHOULD. ICE depends on it as a security
>>>>>> condition, so it probably needs to be a MUST.
>>>>>
>>>>> Done.
>>>>>
>>>>>>
>>>>>>
>>>>>>>       For a request or indication message, the agent MUST include the
>>>>>>>       USERNAME, MESSAGE-INTEGRITY-SHA256, and MESSAGE-INTEGRITY
>>>> attributes
>>>>>>>       in the message unless the agent knows from an external indication
>>>>>>>       which message integrity algorithm is supported by both agents.  In
>>>>>>>       this case either MESSAGE-INTEGRITY or MESSAGE-INTEGRITY-SHA256
>>>> MUST
>>>>>>>       be included in addition to USERNAME.  The HMAC for the MESSAGE-
>>>>>>
>>>>>> This text appears to conflict with S 7.3 of 5245-bis, which says:
>>>>>
>>>>> [text missing]
>>>>>
>>>>> Hmm, no, RFC245bis is still referencing RFC5389, so the procedure for
>>>> stunbis does not apply.
>>>>>
>>>>>>
>>>>>>
>>>>>>>       STUN Security Feature it is understood that the corresponding STUN
>>>>>>>       Security Feature bit in the "nonce cookie" is set to 1.
>>>>>>>
>>>>>>>       For example, in Section 9.2.4 discussing the PASSWORD-ALGORITHMS
>>>>>>>       security feature, it is implied that the "Password algorithms"
>>>> bit,
>>>>>>>       as defined in Section 17.1, is set to 1 in the "nonce cookie".
>>>>>>
>>>>>> I'm not sure I understand the bid down attack here or the proposed
>>>>>> defense.  Can you please walk through what the assumed attacker
>>>>>> capabilities are, what the client and server capabilities are, how the
>>>>>> bid down attack works, and how this protects against it?
>>>>>
>>>>> The plan is to add an annex to the document explaining that.  I'll
>>>> finish to process the other reviews from the IESG and then come back to
>>>> that.
>>>>>
>>>>
>>>> Instead of an annex, we added a new section in the Security
>>>> Considerations.  Please have a look at -17 and let us know if that
>>>> explanation is good enough.
>>>>
>>>> Thanks.
>>>>
>>>
>>
>>
>>
>> -- 
>> Marc Petit-Huguenin
>> Email: marc@petit-huguenin.org
>> Blog: https://marc.petit-huguenin.org
>> Profile: https://www.linkedin.com/in/petithug
>>
> 
> 
> 
> 
> _______________________________________________
> tram mailing list
> tram@ietf.org
> https://www.ietf.org/mailman/listinfo/tram
> 

-- 
Brandon Williams; Chief Architect
Cloud Networking; Akamai Technologies Inc.