IETF Logo Mail Archive

Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Thu, 17 May 2018 20:51 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 889AA1270B4 for <tram@ietfa.amsl.com>; Thu, 17 May 2018 13:51:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.608
X-Spam-Level:
X-Spam-Status: No, score=-2.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q9asxw2_kjQi for <tram@ietfa.amsl.com>; Thu, 17 May 2018 13:51:13 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E84F21272E1 for <tram@ietf.org>; Thu, 17 May 2018 13:51:12 -0700 (PDT)
Received: by mail-oi0-x229.google.com with SMTP id y15-v6so5227998oia.13 for <tram@ietf.org>; Thu, 17 May 2018 13:51:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PQCt45zAqOUnkxZfBiVGBwDVX6te3T+z6dKzG1Bc/OI=; b=zxTSe1tgPxmU+HJJ8fHcV+nQvx/F68D68bN09cP/XbnwIVChm0uMcdfImQY0V96g04 7JtMW0tIIciW/Z9n8s0ec77GwuLEq/W26TwT2hW0O8D9zp0Dy6c2dDX7sGZHo+chOLkc ivxWdWVvjpHMdvhaH4f/A9LLfMrL3RY6oMXnJ5tai7qZzI0TadGjK/IYLDlyCUvqgHp2 kc7JuKqryuhnxHPoCWKOQMTNyp6mn0tlh+WFmfNdXNxTYjR1w9J1wCeSW15FyD6JPjet yrI+mrZgXtI0IxV+XY/ukwsBiHYBmDJ2rOChMzx82syDKVGXfNq6bwCL3NpYSZ3EcSZI 4BlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PQCt45zAqOUnkxZfBiVGBwDVX6te3T+z6dKzG1Bc/OI=; b=r5IEfwYqm5Sw/yIRceHp+tSo9HQ7pUB+WleY4pTL5OK4dV9XKm5t/RVrPmFnuTXf6D QddjVUSwfc05dxMsoXriVRz3clP6SNp5AgDm5j/TOqxWez+W4H7pIiAdXTMPM5HAwX7O TaOGyiBjojtZrAIucc76Y9ze/ROHHBNWzoexAb9hMqBaN7MD5t+a9TvyLt83V8k8fQWa Eas77RCMGtWXkHoOqFWIF02PhwAOLwAASEZabWZ4IkLzaVOhFtLz1Qv3jOPXtiT7FuAP HseMeSnHty1G8bMt3FZIsc8XSNt0txKi4XgnmsLtZ2vs18duBxlMil9LMWclgyG12Ds7 49iA==
X-Gm-Message-State: ALKqPwfTbfzIwM2+ZDl9AxilyECHAxdFIqzWcy/ohm0vKWsrhTpM59LF 3Z/BtjZUEWwxrj39M0nMN6MSe7eH4HP595DX563/Cw==
X-Google-Smtp-Source: AB8JxZquue2RY3TqatG13z7GxXSJDq++H8LmVjFJGX7UiruoJ/i7XnjmV3dKsuF9ZGWu710mMrbRlZQl5SdXGy38/0Y=
X-Received: by 2002:aca:4c11:: with SMTP id z17-v6mr4276096oia.174.1526590272172; Thu, 17 May 2018 13:51:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Thu, 17 May 2018 13:50:31 -0700 (PDT)
In-Reply-To: <20180517203337.GN2249@kduck.kaduk.org>
References: <152390863222.19652.10310304989315386136.idtracker@ietfa.amsl.com> <c0a06754-6f8c-97dc-7f7e-26a7df43e842@acm.org> <31a441d2-8843-c8ee-f5ef-5496e5b4b364@acm.org> <CABcZeBO+2LG4-1-dhzTTSJFH6uhJdSEKLjyVfxO+krzHR8ueQw@mail.gmail.com> <29c18858-3694-c48a-54c3-6dcbfa3b6705@acm.org> <20180515182435.GN2249@kduck.kaduk.org> <25e551de-87b7-1612-c869-8336fe3c4b95@akamai.com> <CABcZeBN+sgdH5a56zWTHm-=PD3vJ_DzSyPZYF=S5Bt3i_ATvBw@mail.gmail.com> <20180517203337.GN2249@kduck.kaduk.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 17 May 2018 13:50:31 -0700
Message-ID: <CABcZeBOM6OybXi84DxDzHcgu_tezhZRETW9Dmh41hYre9w+iXA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Brandon Williams <brandon.williams@akamai.com>, Marc Petit-Huguenin <petithug@acm.org>, tram-chairs@ietf.org, tram@ietf.org, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, tasveren@rbbn.com, The IESG <iesg@ietf.org>, draft-ietf-tram-stunbis@ietf.org, "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
Content-Type: multipart/alternative; boundary="000000000000e40b35056c6cfeeb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/yZnJ3CTxuegrdZUN1Vptc1y939g>
X-Mailman-Approved-At: Fri, 18 May 2018 10:29:12 -0700
Subject: Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 20:51:16 -0000

On Thu, May 17, 2018 at 1:33 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Thu, May 17, 2018 at 01:22:04PM -0700, Eric Rescorla wrote:
> > On Thu, May 17, 2018 at 1:04 PM, Brandon Williams <
> > brandon.williams@akamai.com> wrote:
> >
> > >
> > > That having been said, I'm having trouble reconciling Ekr's "I don't
> see
> > > how a weakness in MD5 is relevant here" with Matt Miller's earlier
> comment
> > > "I am wondering why a more robust password algorithm (key derivation
> > > function) was not defined (e.g., HKDF-SHA-256)". Matt appears to
> suggest
> > > that we should go farther than we have while Ekr appears to suggest
> that we
> > > might not need to have gone even that far.
> > >
> > > Any suggestions about path to resolution on this? Am I just completely
> > > misinterpreting the comments we've received so far?
> > >
> >
> > Well, I don't know what Matt is thinking. Perhaps he would like to weigh
> in?
>
> I think this is a question of "attack over the network" vs.
> "compromised password database".  You want HKDF-SHA-256 or Argon2 or
> something like that because it makes it harder for an attacker to
> brute-force a compromised database of hashed passwords, which is
> something of a different concern than turning a string into a crypto
> key and worrying about an attacker in the network that only observes
> the ciphertext.  That is, the problem of brute-forcing the secret material
> given the network ciphertext is different from attacking the
> (hashed) password database directly.
>

Right. But the weak password hashing function is a problem if you have
the data on disk, whether you negotiate it or not, so biddown protection
doesn't help.

-Ekr

So it seems possible that both points are relevant, just protecting
> against different things.
>
> -Benjamin
>

v2.23.0 | Report a Bug | By Email