IETF Logo Mail Archive

Re: [tram] Benjamin Kaduk's No Record on draft-ietf-tram-stunbis-16: (with COMMENT)

Rohan Mahy <rohan.mahy@gmail.com> Thu, 03 May 2018 00:44 UTC

Return-Path: <rohan.mahy@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 043E8127275; Wed, 2 May 2018 17:44:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R89AuwrEs-Oq; Wed, 2 May 2018 17:44:02 -0700 (PDT)
Received: from mail-vk0-x244.google.com (mail-vk0-x244.google.com [IPv6:2607:f8b0:400c:c05::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FCC2127241; Wed, 2 May 2018 17:44:02 -0700 (PDT)
Received: by mail-vk0-x244.google.com with SMTP id g72-v6so5810283vke.2; Wed, 02 May 2018 17:44:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Af7lxBqQW6I0gm5ib8/3WaY9p0XlNF8plzzIIHtv7fo=; b=o8VoGR2CnTxINHm/L12iPpfpuoYRde8NEXnUXXQk6ad9+ELgizXIGuqZb4SA/lCCCS x+hDJO91d6OWAhtBE0hAyfXZDxrRjPSeET61ePQIiu3ARvckQ9cs//SFkVAtYxyPQRGp 6ETq6/o45jUpCFwE3j9n6mDhLOLglaSPP8ZWEWM6bxmhnHi5xsPcz2XFkF60DZe79uro xc+63m4gN4645B8kWXxS+x361p1y+Ww4XXy1LPjVKxZfM1doJ2Ey+m4brDJzodEQtQ1f BAg6EaLAv+JDXadUV7N8CjcSDGWUGgnzdVJ89FtvRlohvbteO1j4NM12QU0xELtDbB1R MPQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Af7lxBqQW6I0gm5ib8/3WaY9p0XlNF8plzzIIHtv7fo=; b=qrI6iFpk0rZU125xmLGw29Ufxcas2QI8q6vmLXHObTeqGbThC5GteKSGau8i3Upo3i peadbDEDEsEROitl++fChSew2E58HG1a4jQfnlEx+7osskUhCkhzsISx3bESkCLMEJCS ifJ8yshjAph96pHNrfzDLVHLRTbTz4yeCRct4tCfrS7tO7aNAftBvf6gGTHLNwiBT8Ae IT4zWHS64FrSZWGNlZjlINVwX5rNUKW3PVLrHXkEUPRx3dr+1RrxKaBg+B1UoIcYrUr9 VN88l23f/zwgWyw/zIUn7nMny1Vg0RscdOboJd+ZSJw9DATezJ2ypvGnB29SFlmDmXz6 jlJA==
X-Gm-Message-State: ALQs6tA5bBlPGUJ1Vvne9X4rRsO8shh+6DwezWCWk2fLUUkYxNGitVbz 5lTK8JJo/9sy5Jer9oflEs4/j/MV/j0lv+yo6NU=
X-Google-Smtp-Source: AB8JxZqnvOwJrOkTopITUvu/lCQVgBqvE5X3hP3VsQbGpyKb5gwu3gtaUgUjGtok4g9u1quJqDvO9LfijFkvQNeeNUc=
X-Received: by 2002:a1f:954c:: with SMTP id x73-v6mr14535010vkd.129.1525308241082; Wed, 02 May 2018 17:44:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.112.66 with HTTP; Wed, 2 May 2018 17:44:00 -0700 (PDT)
In-Reply-To: <152410023763.28841.5479872591399614102.idtracker@ietfa.amsl.com>
References: <152410023763.28841.5479872591399614102.idtracker@ietfa.amsl.com>
From: Rohan Mahy <rohan.mahy@gmail.com>
Date: Wed, 02 May 2018 17:44:00 -0700
Message-ID: <CAKoiRubiargH3eo66em57KY8xfk6sg9sUN5OwekoFwi9R=H5bQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-tram-stunbis@ietf.org, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, Tolga Asveren <tasveren@rbbn.com>, tram-chairs@ietf.org, tram@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e1fda8056b427f7e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/dal4yeSz-Q1H5JFuhr988G18wLc>
Subject: Re: [tram] Benjamin Kaduk's No Record on draft-ietf-tram-stunbis-16: (with COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2018 00:44:04 -0000

I had a quick question about your comment on stale nonce error handling
(below).

If I were implementing, I would check if the nonce was fresh before
checking if the password was valid. Would this potential attack be
prevented if a stale nonce MUST return a 438 response whether or not the
password is correct?

Thanks,
-rohan
​

> The Stale Nonce behavior seems potentially worrisome, in that it
> opens up a side channel for a distinguishing attack,
> between a 401 and 438 response.  (That is, "password correct" vs.
> "password incorrect".)  The impact seems rather muted, though, since
> the gain to the attacker is to be able to precompute a bunch of
> requests using a nonce of the attacker's choosing and blindly replay
> the precomputed object against (possibly multiple) servers looking
> for a guess.  The realm and username are still in play, so the scope
> for the attacker to gain from the precomputation seems limited.
> (The same level of brute-force guessing can be obtained "live" just
> by computing the trial responses against a live server, using a
> valid nonce.)  So, while it might be nice to give guidance that 438
> should only be used when the server can validate that it did
> generate the nonce and the nonce was valid "recently", and to treat
> other cases as authentication failures, it's not clear to me that
> there's enough of a benefit from the change to make it worth doing.
>

v2.23.0 | Report a Bug | By Email