IETF Logo Mail Archive

Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Thu, 17 May 2018 20:22 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AABFF12EB9B for <tram@ietfa.amsl.com>; Thu, 17 May 2018 13:22:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dRQ8qUix-F85 for <tram@ietfa.amsl.com>; Thu, 17 May 2018 13:22:50 -0700 (PDT)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DA0712EB96 for <tram@ietf.org>; Thu, 17 May 2018 13:22:46 -0700 (PDT)
Received: by mail-oi0-x22e.google.com with SMTP id l1-v6so5197339oii.1 for <tram@ietf.org>; Thu, 17 May 2018 13:22:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=udf0rIE+u8rFMfnDKUDqUVFXbGTTOs1NgJNQkvCTRBk=; b=VORVKLLJ68CqMG2pRboF+CUyUE55hhJBk5olq2V8OzGZ48rIQ1rRbcOGfvilNS3tEj s4n77xfOf63lvJ+NNtvBcuU2zIyz4kQBqtNoZFwWKgMagmYSnkFhucARYbx+UpwgbeKv /MYfy9kmTsRIBAfOL40W0G2TtO1hk8pEGpntaGJBvaMIhkTPpZ9q3rwwleeGc0mo0cEJ Vy8Kjttl5lwjYpbOUdr/2DRRWGp85KBcaqDmSdIidbs6TKS3e9IyIIajXQUpn/KsZVcb 2ScsCyz8GPaYqj8xzU/vpQLuy4GKvz8TMfewTFzwqOyzcfLtZFHtT9Fd8YDFY8I4WUni fl4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=udf0rIE+u8rFMfnDKUDqUVFXbGTTOs1NgJNQkvCTRBk=; b=BazfEwjzq1+p3mBua0yLra4nhpNWjlSZSSHF2dAQeROIpEzrZE+htKA477i1hM3Dcr NxUIrEh0ub53ffxzUACXbBY9AmNvTxnfnLCT5EbtD3WuQYwiLacQHr13vo8q3dZEVeWt AkwnxUoBCk8PFbJRO/CjIFaXLGvBzF+YoCkzBdTlUwGzYYjOWpr6fYVd5NdY9cVJ1ggC rqqC+TTsHl1w+/LxebFw78u34wr/GAsLHHZ7l2jFabcsKuDgR2YBYs/E9t6S/a86T+ZU leArzRyq6lASHzIN7ym7D0ZZ0hvwEtgToGvLmQH/Y8Hf2p6cmbW7RbEIsn6xamxz3VpS vIRA==
X-Gm-Message-State: ALKqPwfpRKLncYeVPUfbmNht4cVu8U4nZcP88Qrr7hLYBq6dURWmCeym RLNvWJ3Uvl6gxVwSp+ULOOHKPuNViJlTuiXXwGnqsQ==
X-Google-Smtp-Source: AB8JxZoVtcU+5V+yhfba88hb3pjMbwz/9xbmU3P9+uht8xuVdpb0KpNuFb5S2PHjTr/MMpphdA/zgnIptbnDJIYndXI=
X-Received: by 2002:aca:c589:: with SMTP id v131-v6mr4306245oif.92.1526588565917; Thu, 17 May 2018 13:22:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Thu, 17 May 2018 13:22:04 -0700 (PDT)
In-Reply-To: <25e551de-87b7-1612-c869-8336fe3c4b95@akamai.com>
References: <152390863222.19652.10310304989315386136.idtracker@ietfa.amsl.com> <c0a06754-6f8c-97dc-7f7e-26a7df43e842@acm.org> <31a441d2-8843-c8ee-f5ef-5496e5b4b364@acm.org> <CABcZeBO+2LG4-1-dhzTTSJFH6uhJdSEKLjyVfxO+krzHR8ueQw@mail.gmail.com> <29c18858-3694-c48a-54c3-6dcbfa3b6705@acm.org> <20180515182435.GN2249@kduck.kaduk.org> <25e551de-87b7-1612-c869-8336fe3c4b95@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 17 May 2018 13:22:04 -0700
Message-ID: <CABcZeBN+sgdH5a56zWTHm-=PD3vJ_DzSyPZYF=S5Bt3i_ATvBw@mail.gmail.com>
To: Brandon Williams <brandon.williams@akamai.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Marc Petit-Huguenin <petithug@acm.org>, tram-chairs@ietf.org, tram@ietf.org, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, tasveren@rbbn.com, The IESG <iesg@ietf.org>, draft-ietf-tram-stunbis@ietf.org, "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
Content-Type: multipart/alternative; boundary="00000000000030a932056c6c99a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/o-pwj8-MvkSkR-nB6BCj5wG9Ork>
X-Mailman-Approved-At: Fri, 18 May 2018 10:29:12 -0700
Subject: Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 20:22:54 -0000

On Thu, May 17, 2018 at 1:04 PM, Brandon Williams <
brandon.williams@akamai.com> wrote:

> I'll take a stab at describing the working group discussion, but please
> keep in mind that my recollection of this is faint ... it was a few years
> ago at this point.
>
> The working group started with a fundamental assumption that we should be
> moving away from MD5 for the purpose of key generation. I don't recall the
> WG having any detailed discussion of whether using MD5 here is a real
> security weakness in the protocol; had Ekr suggested at the mic that MD5
> weakness might not actually be a problem we quite possibly would have
> chosen not to make any change to key derivation at all.
>

Sure. I don't remember being in the room for this.



> So, working from the basic assumption that we should be moving away from
> MD5 for key derivation, it seemed only natural that we should be attempting
> to prevent an adversary from forcing downgrade back to MD5 via a bid-down
> attack as a way to weaken key derivation. After all, if preventing bid-down
> is not important then the same logic seems to suggest that moving away from
> MD5 at all is not important.
>
> I know that's not a very satisfying answer to the question of how we got
> here, but it represents my best recollection nonetheless.
>
> That having been said, I'm having trouble reconciling Ekr's "I don't see
> how a weakness in MD5 is relevant here" with Matt Miller's earlier comment
> "I am wondering why a more robust password algorithm (key derivation
> function) was not defined (e.g., HKDF-SHA-256)". Matt appears to suggest
> that we should go farther than we have while Ekr appears to suggest that we
> might not need to have gone even that far.
>
> Any suggestions about path to resolution on this? Am I just completely
> misinterpreting the comments we've received so far?
>

Well, I don't know what Matt is thinking. Perhaps he would like to weigh in?

-Ekr


> --Brandon
>
>
> On 05/15/2018 02:24 PM, Benjamin Kaduk wrote:
>
>> I think I have the same understanding as Ekr, in which case the
>> bid-down concerns apply only to message integrity and not to
>> password-algorithm.
>>
>> So it would be good to hear from the WG on this issue.
>>
>> -Benjamin
>>
>> On Mon, May 14, 2018 at 01:06:00PM -0700, Marc Petit-Huguenin wrote:
>>
>>> During the discussion about choosing password algorithms, someone came
>>> to the microphone (AFAIR) and said that it was subject to bid-down attack.
>>> We then design a solution to prevent that and that's what, after more
>>> discussions, we put in the draft.  So I welcome any comment on the strength
>>> or weakness of the protection offered by the scheme we put in place and any
>>> suggestion to make it better, but as for the reasons it is there you will
>>> have to talk to the Working Group.
>>>
>>> Thanks.
>>>
>>> On 05/03/2018 04:45 PM, Eric Rescorla wrote:
>>>
>>>> No, I don't understand this at all. This section talks about a bid-down
>>>> on
>>>> the PASSWORD-ALGORITHM, but I don't see how a weakness in MD5 is
>>>> relevant
>>>> here.
>>>>
>>>> Assuming I understand correctly, the structure of the protocol is that
>>>> given a password, you do:
>>>>
>>>>     key = Password-Algorithm(username, realm, password)
>>>>
>>>> And then use key with HMAC for an integrity check, where HMAC is SHA-1
>>>> (with MESSAGE-INTEGRITY) or SHA-256 (with MESSAGE-INTEGRITY-SHA256).
>>>> However, in this case the MD5 isn't a security critical component at the
>>>> protocol layer [0], because it's just is just to act as a
>>>> transformation of
>>>> the password into a fixed-length string for use as a key, so this
>>>> doesn't
>>>> require collision resistance or pseudorandomness. I could be wrong here,
>>>> but if so, please describe a potential weakness in MD5 which could lead
>>>> to
>>>> compromise of this protocol
>>>>
>>>> -Ekr
>>>>
>>>> [0] It might be an issue if someone were to recover the hashed password.
>>>>
>>>> On Thu, May 3, 2018 at 4:34 PM, Marc Petit-Huguenin <petithug@acm.org>
>>>> wrote:
>>>>
>>>> On 04/22/2018 02:02 PM, Marc Petit-Huguenin wrote:
>>>>>
>>>>>> Hi Eric,
>>>>>>
>>>>>> Thanks for the review, please see my responses inline.
>>>>>>
>>>>>> On 04/16/2018 12:57 PM, Eric Rescorla wrote:
>>>>>>
>>>>>>> Eric Rescorla has entered the following ballot position for
>>>>>>> draft-ietf-tram-stunbis-16: Discuss
>>>>>>>
>>>>>>> When responding, please keep the subject line intact and reply to all
>>>>>>> email addresses included in the To and CC lines. (Feel free to cut
>>>>>>> this
>>>>>>> introductory paragraph, however.)
>>>>>>>
>>>>>>>
>>>>>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria
>>>>>>> .
>>>>>>>
>>>>>> html
>>>>>
>>>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>>>>>
>>>>>>>
>>>>>>> The document, along with other ballot positions, can be found here:
>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-tram-stunbis/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>>>>>> ----------
>>>>>>> DISCUSS:
>>>>>>> ------------------------------------------------------------
>>>>>>> ----------
>>>>>>>
>>>>>>> Rich version of this review at:
>>>>>>> https://mozphab-ietf.devsvcdev.mozaws.net/D5132
>>>>>>>
>>>>>>>
>>>>>>> Can you please indicate how you addressed the points Matt Miller
>>>>>>> raised in his secdir review about the use of MD5.
>>>>>>>
>>>>>>
>>>>>>  From my response on 2018-03-11:
>>>>>>
>>>>>> * The description for 17.5.1. "MD5" list the key size as 20 bytes, but
>>>>>>>
>>>>>> the
>>>>>
>>>>>> hash length of MD5 is 16 bytes (128 bits).  I think this is merely a
>>>>>>>
>>>>>> typo,
>>>>>
>>>>>> since the purpose appears to be for backwards compatibility with
>>>>>>>
>>>>>> existing
>>>>>
>>>>>> systems.
>>>>>>>
>>>>>>
>>>>>> Fixed.
>>>>>>
>>>>>>
>>>>>>> * Both 17.5.1.1. "MD5" Section 9.2.2. "HMAC Key" (long-term
>>>>>>> credential)
>>>>>>> and Section appear to define the same functional algorithm, but with
>>>>>>>
>>>>>> subtle
>>>>>
>>>>>> syntax differences.  As far as I can tell, they are actually the same
>>>>>>> algorithm; would it not be acceptable to have Section 9.2.2 point to
>>>>>>> Section 17.5.1.1 for the algorithm description?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> This is going into the IANA registry so I left things there.  I fixed
>>>>>>
>>>>> the discrepancy with section 9.2.2.
>>>>>
>>>>>>
>>>>>> I also fixed the definition of the key for SHA-256, which must use
>>>>>>
>>>>> OpaqueString for the realm.
>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> DETAIL
>>>>>>>
>>>>>>>>       by the agent sending the indication.  It primarily serves to
>>>>>>>>       correlate requests with responses, though it also plays a
>>>>>>>> small
>>>>>>>>
>>>>>>> role
>>>>>
>>>>>>       in helping to prevent certain types of attacks.  The server also
>>>>>>>>
>>>>>>> uses
>>>>>
>>>>>>       the transaction ID as a key to identify each transaction
>>>>>>>> uniquely
>>>>>>>>       across all clients.  As such, the transaction ID MUST be
>>>>>>>> uniformly
>>>>>>>>       and randomly chosen from the interval 0 .. 2**96-1, and
>>>>>>>> SHOULD be
>>>>>>>>
>>>>>>>
>>>>>>> I didn't realize this was a SHOULD. ICE depends on it as a security
>>>>>>> condition, so it probably needs to be a MUST.
>>>>>>>
>>>>>>
>>>>>> Done.
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>       For a request or indication message, the agent MUST include the
>>>>>>>>       USERNAME, MESSAGE-INTEGRITY-SHA256, and MESSAGE-INTEGRITY
>>>>>>>>
>>>>>>> attributes
>>>>>
>>>>>>       in the message unless the agent knows from an external
>>>>>>>> indication
>>>>>>>>       which message integrity algorithm is supported by both
>>>>>>>> agents.  In
>>>>>>>>       this case either MESSAGE-INTEGRITY or MESSAGE-INTEGRITY-SHA256
>>>>>>>>
>>>>>>> MUST
>>>>>
>>>>>>       be included in addition to USERNAME.  The HMAC for the MESSAGE-
>>>>>>>>
>>>>>>>
>>>>>>> This text appears to conflict with S 7.3 of 5245-bis, which says:
>>>>>>>
>>>>>>
>>>>>> [text missing]
>>>>>>
>>>>>> Hmm, no, RFC245bis is still referencing RFC5389, so the procedure for
>>>>>>
>>>>> stunbis does not apply.
>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>       STUN Security Feature it is understood that the corresponding
>>>>>>>> STUN
>>>>>>>>       Security Feature bit in the "nonce cookie" is set to 1.
>>>>>>>>
>>>>>>>>       For example, in Section 9.2.4 discussing the
>>>>>>>> PASSWORD-ALGORITHMS
>>>>>>>>       security feature, it is implied that the "Password algorithms"
>>>>>>>>
>>>>>>> bit,
>>>>>
>>>>>>       as defined in Section 17.1, is set to 1 in the "nonce cookie".
>>>>>>>>
>>>>>>>
>>>>>>> I'm not sure I understand the bid down attack here or the proposed
>>>>>>> defense.  Can you please walk through what the assumed attacker
>>>>>>> capabilities are, what the client and server capabilities are, how
>>>>>>> the
>>>>>>> bid down attack works, and how this protects against it?
>>>>>>>
>>>>>>
>>>>>> The plan is to add an annex to the document explaining that.  I'll
>>>>>>
>>>>> finish to process the other reviews from the IESG and then come back to
>>>>> that.
>>>>>
>>>>>>
>>>>>>
>>>>> Instead of an annex, we added a new section in the Security
>>>>> Considerations.  Please have a look at -17 and let us know if that
>>>>> explanation is good enough.
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Marc Petit-Huguenin
>>> Email: marc@petit-huguenin.org
>>> Blog: https://marc.petit-huguenin.org
>>> Profile: https://www.linkedin.com/in/petithug
>>>
>>>
>>
>>
>>
>> _______________________________________________
>> tram mailing list
>> tram@ietf.org
>> https://www.ietf.org/mailman/listinfo/tram
>>
>>
> --
> Brandon Williams; Chief Architect
> Cloud Networking; Akamai Technologies Inc.
>

v2.23.0 | Report a Bug | By Email