Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Thu, 17 May 2018 20:22 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AABFF12EB9B for <tram@ietfa.amsl.com>; Thu, 17 May 2018 13:22:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dRQ8qUix-F85 for <tram@ietfa.amsl.com>; Thu, 17 May 2018 13:22:50 -0700 (PDT)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DA0712EB96 for <tram@ietf.org>; Thu, 17 May 2018 13:22:46 -0700 (PDT)
Received: by mail-oi0-x22e.google.com with SMTP id l1-v6so5197339oii.1 for <tram@ietf.org>; Thu, 17 May 2018 13:22:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=udf0rIE+u8rFMfnDKUDqUVFXbGTTOs1NgJNQkvCTRBk=; b=VORVKLLJ68CqMG2pRboF+CUyUE55hhJBk5olq2V8OzGZ48rIQ1rRbcOGfvilNS3tEj s4n77xfOf63lvJ+NNtvBcuU2zIyz4kQBqtNoZFwWKgMagmYSnkFhucARYbx+UpwgbeKv /MYfy9kmTsRIBAfOL40W0G2TtO1hk8pEGpntaGJBvaMIhkTPpZ9q3rwwleeGc0mo0cEJ Vy8Kjttl5lwjYpbOUdr/2DRRWGp85KBcaqDmSdIidbs6TKS3e9IyIIajXQUpn/KsZVcb 2ScsCyz8GPaYqj8xzU/vpQLuy4GKvz8TMfewTFzwqOyzcfLtZFHtT9Fd8YDFY8I4WUni fl4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=udf0rIE+u8rFMfnDKUDqUVFXbGTTOs1NgJNQkvCTRBk=; b=BazfEwjzq1+p3mBua0yLra4nhpNWjlSZSSHF2dAQeROIpEzrZE+htKA477i1hM3Dcr NxUIrEh0ub53ffxzUACXbBY9AmNvTxnfnLCT5EbtD3WuQYwiLacQHr13vo8q3dZEVeWt AkwnxUoBCk8PFbJRO/CjIFaXLGvBzF+YoCkzBdTlUwGzYYjOWpr6fYVd5NdY9cVJ1ggC rqqC+TTsHl1w+/LxebFw78u34wr/GAsLHHZ7l2jFabcsKuDgR2YBYs/E9t6S/a86T+ZU leArzRyq6lASHzIN7ym7D0ZZ0hvwEtgToGvLmQH/Y8Hf2p6cmbW7RbEIsn6xamxz3VpS vIRA==
X-Gm-Message-State: ALKqPwfpRKLncYeVPUfbmNht4cVu8U4nZcP88Qrr7hLYBq6dURWmCeym RLNvWJ3Uvl6gxVwSp+ULOOHKPuNViJlTuiXXwGnqsQ==
X-Google-Smtp-Source: AB8JxZoVtcU+5V+yhfba88hb3pjMbwz/9xbmU3P9+uht8xuVdpb0KpNuFb5S2PHjTr/MMpphdA/zgnIptbnDJIYndXI=
X-Received: by 2002:aca:c589:: with SMTP id v131-v6mr4306245oif.92.1526588565917; Thu, 17 May 2018 13:22:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Thu, 17 May 2018 13:22:04 -0700 (PDT)
In-Reply-To: <25e551de-87b7-1612-c869-8336fe3c4b95@akamai.com>
References: <152390863222.19652.10310304989315386136.idtracker@ietfa.amsl.com> <c0a06754-6f8c-97dc-7f7e-26a7df43e842@acm.org> <31a441d2-8843-c8ee-f5ef-5496e5b4b364@acm.org> <CABcZeBO+2LG4-1-dhzTTSJFH6uhJdSEKLjyVfxO+krzHR8ueQw@mail.gmail.com> <29c18858-3694-c48a-54c3-6dcbfa3b6705@acm.org> <20180515182435.GN2249@kduck.kaduk.org> <25e551de-87b7-1612-c869-8336fe3c4b95@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 17 May 2018 13:22:04 -0700
Message-ID: <CABcZeBN+sgdH5a56zWTHm-=PD3vJ_DzSyPZYF=S5Bt3i_ATvBw@mail.gmail.com>
To: Brandon Williams <brandon.williams@akamai.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Marc Petit-Huguenin <petithug@acm.org>, tram-chairs@ietf.org, tram@ietf.org, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, tasveren@rbbn.com, The IESG <iesg@ietf.org>, draft-ietf-tram-stunbis@ietf.org, "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
Content-Type: multipart/alternative; boundary="00000000000030a932056c6c99a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/o-pwj8-MvkSkR-nB6BCj5wG9Ork>
X-Mailman-Approved-At: Fri, 18 May 2018 10:29:12 -0700
Subject: Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 20:22:54 -0000
On Thu, May 17, 2018 at 1:04 PM, Brandon Williams < brandon.williams@akamai.com> wrote: > I'll take a stab at describing the working group discussion, but please > keep in mind that my recollection of this is faint ... it was a few years > ago at this point. > > The working group started with a fundamental assumption that we should be > moving away from MD5 for the purpose of key generation. I don't recall the > WG having any detailed discussion of whether using MD5 here is a real > security weakness in the protocol; had Ekr suggested at the mic that MD5 > weakness might not actually be a problem we quite possibly would have > chosen not to make any change to key derivation at all. > Sure. I don't remember being in the room for this. > So, working from the basic assumption that we should be moving away from > MD5 for key derivation, it seemed only natural that we should be attempting > to prevent an adversary from forcing downgrade back to MD5 via a bid-down > attack as a way to weaken key derivation. After all, if preventing bid-down > is not important then the same logic seems to suggest that moving away from > MD5 at all is not important. > > I know that's not a very satisfying answer to the question of how we got > here, but it represents my best recollection nonetheless. > > That having been said, I'm having trouble reconciling Ekr's "I don't see > how a weakness in MD5 is relevant here" with Matt Miller's earlier comment > "I am wondering why a more robust password algorithm (key derivation > function) was not defined (e.g., HKDF-SHA-256)". Matt appears to suggest > that we should go farther than we have while Ekr appears to suggest that we > might not need to have gone even that far. > > Any suggestions about path to resolution on this? Am I just completely > misinterpreting the comments we've received so far? > Well, I don't know what Matt is thinking. Perhaps he would like to weigh in? -Ekr > --Brandon > > > On 05/15/2018 02:24 PM, Benjamin Kaduk wrote: > >> I think I have the same understanding as Ekr, in which case the >> bid-down concerns apply only to message integrity and not to >> password-algorithm. >> >> So it would be good to hear from the WG on this issue. >> >> -Benjamin >> >> On Mon, May 14, 2018 at 01:06:00PM -0700, Marc Petit-Huguenin wrote: >> >>> During the discussion about choosing password algorithms, someone came >>> to the microphone (AFAIR) and said that it was subject to bid-down attack. >>> We then design a solution to prevent that and that's what, after more >>> discussions, we put in the draft. So I welcome any comment on the strength >>> or weakness of the protection offered by the scheme we put in place and any >>> suggestion to make it better, but as for the reasons it is there you will >>> have to talk to the Working Group. >>> >>> Thanks. >>> >>> On 05/03/2018 04:45 PM, Eric Rescorla wrote: >>> >>>> No, I don't understand this at all. This section talks about a bid-down >>>> on >>>> the PASSWORD-ALGORITHM, but I don't see how a weakness in MD5 is >>>> relevant >>>> here. >>>> >>>> Assuming I understand correctly, the structure of the protocol is that >>>> given a password, you do: >>>> >>>> key = Password-Algorithm(username, realm, password) >>>> >>>> And then use key with HMAC for an integrity check, where HMAC is SHA-1 >>>> (with MESSAGE-INTEGRITY) or SHA-256 (with MESSAGE-INTEGRITY-SHA256). >>>> However, in this case the MD5 isn't a security critical component at the >>>> protocol layer [0], because it's just is just to act as a >>>> transformation of >>>> the password into a fixed-length string for use as a key, so this >>>> doesn't >>>> require collision resistance or pseudorandomness. I could be wrong here, >>>> but if so, please describe a potential weakness in MD5 which could lead >>>> to >>>> compromise of this protocol >>>> >>>> -Ekr >>>> >>>> [0] It might be an issue if someone were to recover the hashed password. >>>> >>>> On Thu, May 3, 2018 at 4:34 PM, Marc Petit-Huguenin <petithug@acm.org> >>>> wrote: >>>> >>>> On 04/22/2018 02:02 PM, Marc Petit-Huguenin wrote: >>>>> >>>>>> Hi Eric, >>>>>> >>>>>> Thanks for the review, please see my responses inline. >>>>>> >>>>>> On 04/16/2018 12:57 PM, Eric Rescorla wrote: >>>>>> >>>>>>> Eric Rescorla has entered the following ballot position for >>>>>>> draft-ietf-tram-stunbis-16: Discuss >>>>>>> >>>>>>> When responding, please keep the subject line intact and reply to all >>>>>>> email addresses included in the To and CC lines. (Feel free to cut >>>>>>> this >>>>>>> introductory paragraph, however.) >>>>>>> >>>>>>> >>>>>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria >>>>>>> . >>>>>>> >>>>>> html >>>>> >>>>>> for more information about IESG DISCUSS and COMMENT positions. >>>>>>> >>>>>>> >>>>>>> The document, along with other ballot positions, can be found here: >>>>>>> https://datatracker.ietf.org/doc/draft-ietf-tram-stunbis/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------ >>>>>>> ---------- >>>>>>> DISCUSS: >>>>>>> ------------------------------------------------------------ >>>>>>> ---------- >>>>>>> >>>>>>> Rich version of this review at: >>>>>>> https://mozphab-ietf.devsvcdev.mozaws.net/D5132 >>>>>>> >>>>>>> >>>>>>> Can you please indicate how you addressed the points Matt Miller >>>>>>> raised in his secdir review about the use of MD5. >>>>>>> >>>>>> >>>>>> From my response on 2018-03-11: >>>>>> >>>>>> * The description for 17.5.1. "MD5" list the key size as 20 bytes, but >>>>>>> >>>>>> the >>>>> >>>>>> hash length of MD5 is 16 bytes (128 bits). I think this is merely a >>>>>>> >>>>>> typo, >>>>> >>>>>> since the purpose appears to be for backwards compatibility with >>>>>>> >>>>>> existing >>>>> >>>>>> systems. >>>>>>> >>>>>> >>>>>> Fixed. >>>>>> >>>>>> >>>>>>> * Both 17.5.1.1. "MD5" Section 9.2.2. "HMAC Key" (long-term >>>>>>> credential) >>>>>>> and Section appear to define the same functional algorithm, but with >>>>>>> >>>>>> subtle >>>>> >>>>>> syntax differences. As far as I can tell, they are actually the same >>>>>>> algorithm; would it not be acceptable to have Section 9.2.2 point to >>>>>>> Section 17.5.1.1 for the algorithm description? >>>>>>> >>>>>>> >>>>>>> >>>>>> This is going into the IANA registry so I left things there. I fixed >>>>>> >>>>> the discrepancy with section 9.2.2. >>>>> >>>>>> >>>>>> I also fixed the definition of the key for SHA-256, which must use >>>>>> >>>>> OpaqueString for the realm. >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> DETAIL >>>>>>> >>>>>>>> by the agent sending the indication. It primarily serves to >>>>>>>> correlate requests with responses, though it also plays a >>>>>>>> small >>>>>>>> >>>>>>> role >>>>> >>>>>> in helping to prevent certain types of attacks. The server also >>>>>>>> >>>>>>> uses >>>>> >>>>>> the transaction ID as a key to identify each transaction >>>>>>>> uniquely >>>>>>>> across all clients. As such, the transaction ID MUST be >>>>>>>> uniformly >>>>>>>> and randomly chosen from the interval 0 .. 2**96-1, and >>>>>>>> SHOULD be >>>>>>>> >>>>>>> >>>>>>> I didn't realize this was a SHOULD. ICE depends on it as a security >>>>>>> condition, so it probably needs to be a MUST. >>>>>>> >>>>>> >>>>>> Done. >>>>>> >>>>>> >>>>>>> >>>>>>> For a request or indication message, the agent MUST include the >>>>>>>> USERNAME, MESSAGE-INTEGRITY-SHA256, and MESSAGE-INTEGRITY >>>>>>>> >>>>>>> attributes >>>>> >>>>>> in the message unless the agent knows from an external >>>>>>>> indication >>>>>>>> which message integrity algorithm is supported by both >>>>>>>> agents. In >>>>>>>> this case either MESSAGE-INTEGRITY or MESSAGE-INTEGRITY-SHA256 >>>>>>>> >>>>>>> MUST >>>>> >>>>>> be included in addition to USERNAME. The HMAC for the MESSAGE- >>>>>>>> >>>>>>> >>>>>>> This text appears to conflict with S 7.3 of 5245-bis, which says: >>>>>>> >>>>>> >>>>>> [text missing] >>>>>> >>>>>> Hmm, no, RFC245bis is still referencing RFC5389, so the procedure for >>>>>> >>>>> stunbis does not apply. >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> STUN Security Feature it is understood that the corresponding >>>>>>>> STUN >>>>>>>> Security Feature bit in the "nonce cookie" is set to 1. >>>>>>>> >>>>>>>> For example, in Section 9.2.4 discussing the >>>>>>>> PASSWORD-ALGORITHMS >>>>>>>> security feature, it is implied that the "Password algorithms" >>>>>>>> >>>>>>> bit, >>>>> >>>>>> as defined in Section 17.1, is set to 1 in the "nonce cookie". >>>>>>>> >>>>>>> >>>>>>> I'm not sure I understand the bid down attack here or the proposed >>>>>>> defense. Can you please walk through what the assumed attacker >>>>>>> capabilities are, what the client and server capabilities are, how >>>>>>> the >>>>>>> bid down attack works, and how this protects against it? >>>>>>> >>>>>> >>>>>> The plan is to add an annex to the document explaining that. I'll >>>>>> >>>>> finish to process the other reviews from the IESG and then come back to >>>>> that. >>>>> >>>>>> >>>>>> >>>>> Instead of an annex, we added a new section in the Security >>>>> Considerations. Please have a look at -17 and let us know if that >>>>> explanation is good enough. >>>>> >>>>> Thanks. >>>>> >>>>> >>>> >>> >>> >>> -- >>> Marc Petit-Huguenin >>> Email: marc@petit-huguenin.org >>> Blog: https://marc.petit-huguenin.org >>> Profile: https://www.linkedin.com/in/petithug >>> >>> >> >> >> >> _______________________________________________ >> tram mailing list >> tram@ietf.org >> https://www.ietf.org/mailman/listinfo/tram >> >> > -- > Brandon Williams; Chief Architect > Cloud Networking; Akamai Technologies Inc. >
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- [tram] Eric Rescorla's Discuss on draft-ietf-tram… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Brandon Williams
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Matthew A. Miller
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Brandon Williams
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- [tram] Blackout posting of draft-ietf-tram-stunbi… Spencer Dawkins at IETF
- Re: [tram] Blackout posting of draft-ietf-tram-st… Gonzalo Salgueiro (gsalguei)