Re: [tram] Benjamin Kaduk's No Record on draft-ietf-tram-stunbis-16: (with COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 03 May 2018 13:44 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE3721270AE; Thu, 3 May 2018 06:44:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKM8szOCo1iW; Thu, 3 May 2018 06:44:16 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B007120454; Thu, 3 May 2018 06:44:15 -0700 (PDT)
X-AuditID: 12074424-8c9ff70000003212-fc-5aeb122c0fba
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 8A.47.12818.D221BEA5; Thu, 3 May 2018 09:44:13 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w43Di765023987; Thu, 3 May 2018 09:44:09 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w43Di3vS021340 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 3 May 2018 09:44:05 -0400
Date: Thu, 03 May 2018 08:44:03 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Rohan Mahy <rohan.mahy@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-tram-stunbis@ietf.org, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, Tolga Asveren <tasveren@rbbn.com>, tram-chairs@ietf.org, tram@ietf.org
Message-ID: <20180503134403.GD23530@kduck.kaduk.org>
References: <152410023763.28841.5479872591399614102.idtracker@ietfa.amsl.com> <CAKoiRubiargH3eo66em57KY8xfk6sg9sUN5OwekoFwi9R=H5bQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAKoiRubiargH3eo66em57KY8xfk6sg9sUN5OwekoFwi9R=H5bQ@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGKsWRmVeSWpSXmKPExsUixG6noqsr9DrK4NBfE4vOLZfZLDYtX8lk MePPRGaLZ1O2M1qsX/6N3WL5z5VsFh/WXmBzYPf49fUqm8fOWXfZPZYs+cnksWfOJMYAligu m5TUnMyy1CJ9uwSujG+zWxkL9vBUbJg/ibmB8TlnFyMnh4SAicSl5ja2LkYuDiGBxUwSV/ed ZoRwNjBKNO24DeVcYZKYsLWTCaSFRUBF4vOvM4wgNhuQ3dB9mRnEFhFQldj0fgELiM0scIZR 4sgPMxBbWCBconvxTrAaXqB15341soLYQgJTGCUePM2FiAtKnJz5BKpXXeLPvEtA9RxAtrTE 8n8cEGF5ieats8HGcAoESryeeRpsjKiAssTevkPsExgFZyGZNAvJpFkIk2YhmbSAkWUVo2xK bpVubmJmTnFqsm5xcmJeXmqRrrlebmaJXmpK6SZGcHS4qOxg7O7xPsQowMGoxMObcfpllBBr YllxZe4hRkkOJiVR3u8ngUJ8SfkplRmJxRnxRaU5qcWHGCU4mJVEeKd0v4oS4k1JrKxKLcqH SUlzsCiJ8y7evzdKSCA9sSQ1OzW1ILUIJivDwaEkwXtI4HWUkGBRanpqRVpmTglCmomDE2Q4 D9BwOUGgGt7igsTc4sx0iPwpRkUpcd7nIM0CIImM0jy4XlDyksjeX/OKURzoFWHeCyBVPMDE B9f9CmgwE9Dgz1+fgwwuSURISTUwSs6t7LP4NbmDySuvPiI1arbyxXvrwuV84vVW6ektmdTX s9XrgX2Q/9vFXNzLj7nYe8/8dLimQPNDtVX5C9f5jq99/Dfvrln9zGKGi/I//zzx344GwYWn fwjw1zEprZ5oeZF1a/ADrfKb1+9v6DPZf8b6kM/S/IBjleodcbyXnU5cbBaWuNWhxFKckWio xVxUnAgAN14WsTkDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/qSeHRmrmFTCu3T2bk6kSVy2FCBo>
Subject: Re: [tram] Benjamin Kaduk's No Record on draft-ietf-tram-stunbis-16: (with COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2018 13:44:18 -0000

On Wed, May 02, 2018 at 05:44:00PM -0700, Rohan Mahy wrote:
> I had a quick question about your comment on stale nonce error handling
> (below).
> 
> If I were implementing, I would check if the nonce was fresh before
> checking if the password was valid. Would this potential attack be
> prevented if a stale nonce MUST return a 438 response whether or not the
> password is correct?

I believe so, yes.

-Benjamin

> Thanks,
> -rohan
> ​
> 
> > The Stale Nonce behavior seems potentially worrisome, in that it
> > opens up a side channel for a distinguishing attack,
> > between a 401 and 438 response.  (That is, "password correct" vs.
> > "password incorrect".)  The impact seems rather muted, though, since
> > the gain to the attacker is to be able to precompute a bunch of
> > requests using a nonce of the attacker's choosing and blindly replay
> > the precomputed object against (possibly multiple) servers looking
> > for a guess.  The realm and username are still in play, so the scope
> > for the attacker to gain from the precomputation seems limited.
> > (The same level of brute-force guessing can be obtained "live" just
> > by computing the trial responses against a live server, using a
> > valid nonce.)  So, while it might be nice to give guidance that 438
> > should only be used when the server can validate that it did
> > generate the nonce and the nonce was valid "recently", and to treat
> > other cases as authentication failures, it's not clear to me that
> > there's enough of a benefit from the change to make it worth doing.
> >