Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 17 May 2018 20:33 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67857127275; Thu, 17 May 2018 13:33:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6SbfBuTP6DBY; Thu, 17 May 2018 13:33:53 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BF971241FC; Thu, 17 May 2018 13:33:52 -0700 (PDT)
X-AuditID: 1209190e-28dff700000050b3-98-5afde72e1b37
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 88.EC.20659.F27EDFA5; Thu, 17 May 2018 16:33:51 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w4HKXiLE002602; Thu, 17 May 2018 16:33:46 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w4HKXbca008984 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 17 May 2018 16:33:40 -0400
Date: Thu, 17 May 2018 15:33:37 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Brandon Williams <brandon.williams@akamai.com>, Marc Petit-Huguenin <petithug@acm.org>, tram-chairs@ietf.org, tram@ietf.org, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, tasveren@rbbn.com, The IESG <iesg@ietf.org>, draft-ietf-tram-stunbis@ietf.org, "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
Message-ID: <20180517203337.GN2249@kduck.kaduk.org>
References: <152390863222.19652.10310304989315386136.idtracker@ietfa.amsl.com> <c0a06754-6f8c-97dc-7f7e-26a7df43e842@acm.org> <31a441d2-8843-c8ee-f5ef-5496e5b4b364@acm.org> <CABcZeBO+2LG4-1-dhzTTSJFH6uhJdSEKLjyVfxO+krzHR8ueQw@mail.gmail.com> <29c18858-3694-c48a-54c3-6dcbfa3b6705@acm.org> <20180515182435.GN2249@kduck.kaduk.org> <25e551de-87b7-1612-c869-8336fe3c4b95@akamai.com> <CABcZeBN+sgdH5a56zWTHm-=PD3vJ_DzSyPZYF=S5Bt3i_ATvBw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABcZeBN+sgdH5a56zWTHm-=PD3vJ_DzSyPZYF=S5Bt3i_ATvBw@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrLKsWRmVeSWpSXmKPExsUixG6nrqv//G+UwZRL8hbLHu9ktejccpnN YsXrc+wWm5avZLKY8Wcis8WkLY9YLS6suctksX75N3aL5T9Xsll8WHuBzYHL4/IVb4/JRxYw e/z6epXNY8mSn0weTz7/Y/LYM2cSo8fkx23MAexRXDYpqTmZZalF+nYJXBktdxczF3zjruie +YCtgfE0ZxcjJ4eEgInEzDmvGbsYuTiEBBYzSVzbeZwZwtnIKPFhbytU5iqTxKp9p9lBWlgE VCXeH5jBBGKzCahINHRfZgaxRQQUJH79OcEC0sAs8IxJYvvRHrAGYYF0iduvrrOC2LwCxhI9 K9pYIaaeZZaYsGERM0RCUOLkzCcsIDazgJbEjX8vgTZwANnSEsv/cYCEOQUCJXatPgw2R1RA WWJv3yH2CYwCs5B0z0LSPQuhewEj8ypG2ZTcKt3cxMyc4tRk3eLkxLy81CJdY73czBK91JTS TYygWOGU5NvBOKnB+xCjAAejEg+vw5S/UUKsiWXFlbmHGCU5mJREefv+/Y4S4kvKT6nMSCzO iC8qzUktPsQowcGsJMLrVwlUzpuSWFmVWpQPk5LmYFES5xXY/CFKSCA9sSQ1OzW1ILUIJivD waEkwXvnKVCjYFFqempFWmZOCUKaiYMTZDgP0PCrIDW8xQWJucWZ6RD5U4yKUuK8Cc+AEgIg iYzSPLheUCqTyN5f84pRHOgVYd5gkCoeYBqE634FNJgJaDDjgd8gg0sSEVJSDYyeT3z1+bk2 fnh57oHV8m+2px0WG6bN+vvGwfm6juzymGm35locMiyJrBO3Cd0WaGN/vWTj0/dbhO719ZSl blsut+cfY8yL6btnvi0/l1356CVjptfZ/dFtG5bOTLeQ2P9b3ndSxiuuQK6bmlPaLkw7wFV4 fTaXW9ar8P8aejOqNfVkTf2q+TKUWIozEg21mIuKEwGOEeOvQAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/aQAkpA66Y0GWorx2WT5waR27VpI>
X-Mailman-Approved-At: Fri, 18 May 2018 10:29:12 -0700
Subject: Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 20:33:55 -0000

On Thu, May 17, 2018 at 01:22:04PM -0700, Eric Rescorla wrote:
> On Thu, May 17, 2018 at 1:04 PM, Brandon Williams <
> brandon.williams@akamai.com> wrote:
> 
> >
> > That having been said, I'm having trouble reconciling Ekr's "I don't see
> > how a weakness in MD5 is relevant here" with Matt Miller's earlier comment
> > "I am wondering why a more robust password algorithm (key derivation
> > function) was not defined (e.g., HKDF-SHA-256)". Matt appears to suggest
> > that we should go farther than we have while Ekr appears to suggest that we
> > might not need to have gone even that far.
> >
> > Any suggestions about path to resolution on this? Am I just completely
> > misinterpreting the comments we've received so far?
> >
> 
> Well, I don't know what Matt is thinking. Perhaps he would like to weigh in?

I think this is a question of "attack over the network" vs.
"compromised password database".  You want HKDF-SHA-256 or Argon2 or
something like that because it makes it harder for an attacker to
brute-force a compromised database of hashed passwords, which is
something of a different concern than turning a string into a crypto
key and worrying about an attacker in the network that only observes
the ciphertext.  That is, the problem of brute-forcing the secret material
given the network ciphertext is different from attacking the
(hashed) password database directly.

So it seems possible that both points are relevant, just protecting
against different things.

-Benjamin