IETF Logo Mail Archive

Re: [Unbearable] ramifications of longer EKMs

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 23 February 2017 20:13 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 947E7129A7E for <unbearable@ietfa.amsl.com>; Thu, 23 Feb 2017 12:13:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9flxTJ_oRu8C for <unbearable@ietfa.amsl.com>; Thu, 23 Feb 2017 12:13:48 -0800 (PST)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0103.outbound.protection.outlook.com [104.47.42.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74A4D12957F for <unbearable@ietf.org>; Thu, 23 Feb 2017 12:13:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ZlwutS15KcKt/1snzYPS6NtJVi/AAyzW/MHVyFwbTGc=; b=H8sgdkwOPu76D8JYtacea0BhCT2x3coND6wak9OUnqczLZ0kGkrqhLBmlct5hRAaKnRnrAGNVsz4YfShiZR5FkVnu43KTtt0Gx3mcRc6PPT+fUDx2OhlXwSeDjmsnDWQ26bAajaY7lKUEg9l0WpPEAlzfnTe9XyZzUqalTFpSr4=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.13; Thu, 23 Feb 2017 20:13:44 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0919.018; Thu, 23 Feb 2017 20:13:44 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [Unbearable] ramifications of longer EKMs
Thread-Index: AQHSjVYgmQf/q9+NMUG8uI+0qEZ9BqF1ncIggAAZn4CAAACqsIAADg1QgADNxwCAAG9TYA==
Date: Thu, 23 Feb 2017 20:13:44 +0000
Message-ID: <CY1PR0301MB08427EB93E5E942C662AF06B8C530@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CA+k3eCTRAdwW9xj2JRcs7LwgXJtWj=zDFrZVGJVLmV-vHuYstw@mail.gmail.com> <CY1PR0301MB0842D765811AA4C37AE332938C500@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCQw4KErXHrQWx=uEmf6OKvp9nGQYiC2nWk4+exorxjDCg@mail.gmail.com> <CY1PR0301MB0842C76A829D345AAC18FB988C530@CY1PR0301MB0842.namprd03.prod.outlook.com> <CY1PR0301MB0842026E974F75CE28AA264C8C530@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCQZKAf7BOWKBDQqBDR63OBKOogyuDT+j1JCqSDU3EUuQg@mail.gmail.com>
In-Reply-To: <CA+k3eCQZKAf7BOWKBDQqBDR63OBKOogyuDT+j1JCqSDU3EUuQg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:8::1d2]
x-ms-office365-filtering-correlation-id: 6095337f-fe04-45d2-d600-08d45c28781d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY1PR0301MB0842;
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0842; 7:cx27zar2RyYVD6R9oiKHvpt71iMmOFRRcIAKAfT72FbTE4jM64BAIvM9WK0Lr8MkrgGwdMKYvuzQgHI/jNFZ1T2lgkdgNgeLWa5pWTLQ7mw7tQU8bRrmL7lbJuuyc6kkv7k56yv2xWmiZMysK+dJYBu/TaH6BbpETyP6Y98lJ7JrT0FTdlXykyuCQMkLnAmeAv0TbDVYM1REP/1iIwN2hGgfE1N4daCCVLzbNqCqwlq771A+NyJusAG+H7f89DdhGVv+MQHvhl/5kKnWI2TVX7m/e17lQnu0Dx7Ec7+LaDezdI9zvJeVSuVvrQRP55xRbCFy01/XrKv9I5i/Xxhyfr1sIrEsFeXGZLZF0nWWBUo=
x-microsoft-antispam-prvs: <CY1PR0301MB0842FE1F21C5C025DE7162028C530@CY1PR0301MB0842.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123555025)(20161123564025)(20161123558025)(20161123560025)(6072148); SRVR:CY1PR0301MB0842; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0842;
x-forefront-prvs: 02272225C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39840400002)(39860400002)(39850400002)(39450400003)(39410400002)(199003)(377454003)(24454002)(189002)(68736007)(7696004)(25786008)(2900100001)(4326007)(10090500001)(55016002)(93886004)(3280700002)(790700001)(9686003)(101416001)(102836003)(110136004)(54896002)(7736002)(3660700001)(236005)(6306002)(54356999)(76176999)(99286003)(86362001)(50986999)(92566002)(74316002)(97736004)(10290500002)(81156014)(229853002)(6246003)(81166006)(6436002)(6916009)(77096006)(53936002)(33656002)(38730400002)(86612001)(5660300001)(8936002)(122556002)(8676002)(8990500004)(6116002)(106116001)(5005710100001)(105586002)(106356001)(2950100002)(189998001)(53546006)(6506006)(2906002)(148743002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0842; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR0301MB08427EB93E5E942C662AF06B8C530CY1PR0301MB0842_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Feb 2017 20:13:44.7407 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0842
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/OkGE0y7MeNfU6JZIJSr4V9aIvMs>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] ramifications of longer EKMs
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 20:13:51 -0000

Ø  Are you suggesting that tokbind-tls-term should have more than one model?
Alternatively, we may end up with more than one tokbind-tls-term☺.


Ø  Or that the “dumb/slim” TTRP model is most likely to be the desired model?
It seems undesirable to prevent “dumb/slim” TTRPs, regardless of what tokbind-tls-term ends up saying.


Ø  Yes, that's an accurate description of what I'd proposed as option 4)
Then what we have in option 4) is an IDP that supports a subset, rather than superset, of its RP’s TB key parameters. Which is a known type of misconfiguration that can happen between the IDP and RPs.
In any case, the TB key parameters negotiation would not be very robust if we say that a given signature scheme really requires a 64-byte EKM, but may also be used with a 32-byte EKM if the binding is Referred…

From: Brian Campbell [mailto:bcampbell@pingidentity.com]
Sent: Thursday, February 23, 2017 5:18 AM
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] ramifications of longer EKMs

Sure, this design would work. My point is that the tokbind-tls-term document cannot require one particular model of TB processing, because if this one model does not meet a data center’s requirements/architecture, the document is easily ignored. And it would be particularly undesirable to lose the “dumb/slim” TTRP model.

Are you suggesting that tokbind-tls-term should have more than one model? Or that the “dumb/slim” TTRP model is most likely to be the desired model?
Backend could pass the TB key parameters to the TTRP, or these could be part of the TTRP configuration. All the “dumb/slim” TTRP needs to know is TB protocol version and a prioritized list of TB key parameter IDs.
Sure, that prioritized list of TB key parameter IDs is still the TTRP 'supporting' them in that it will use them in negotiation.
The TB key parameter IDs the TTRP is willing/able to use will need to be the intersection of the supported TB key parameters of each of the backends. This might be cumbersome in some cases but is just the way it has to be for the “dumb/slim” TTRP model.

Let’s say a client negotiates signature scheme A with the RP, and signature scheme A calls for a 64-byte EKM. Then the client negotiates a signature scheme B with the IDP, and signature scheme B calls for a 32-byte EKM. The client sends Provided and Referred bindings to this IDP, and the Referred binding uses signature scheme A in combination with an EKM length 32 (which does not agree with the signature scheme definition). Is this what you’re proposing as option 4), or did I get it wrong?
Yes, that's an accurate description of what I'd proposed as option 4)


On Wed, Feb 22, 2017 at 6:03 PM, Andrei Popov <Andrei.Popov@microsoft.com<mailto:Andrei.Popov@microsoft.com>> wrote:
Correction inline☺.

From: Unbearable [mailto:unbearable-bounces@ietf.org<mailto:unbearable-bounces@ietf.org>] On Behalf Of Andrei Popov
Sent: Wednesday, February 22, 2017 4:39 PM
To: Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>>
Cc: IETF Tokbind WG <unbearable@ietf.org<mailto:unbearable@ietf.org>>
Subject: Re: [Unbearable] ramifications of longer EKMs


>  I'm not sure I follow this?

>  I'd think, if this kind of model was used, a TTRP could do all the TB validation work and just expose the TB ID(s) to the backend where they can bind to whatever tokens/cookies they are issuing.
Sure, this design would work. My point is that the tokbind-tls-term document cannot require one particular model of TB processing, because if this one model does not meet a data center’s requirements/architecture, the document is easily ignored. And it would be particularly undesirable to lose the “dumb/slim” TTRP model.

>  The backend apps would only be able to use TB key parameters that the TTRP supports but that's pretty much true of the other model too - the TTRP still is the one negotiating.
Backend could pass the TB key parameters to the TTRP, or these could be part of the TTRP configuration. All the “dumb/slim” TTRP needs to know is TB protocol version and a prioritized list of TB key parameter IDs.

>  It only defeats the purpose of having per-signature-scheme EKM lengths in the case of a refereed TB using a longer EKM than the provided.
Let’s say a client negotiates signature scheme A with the RP, and signature scheme A calls for a 64-byte EKM. Then the client negotiates a signature scheme B with the IDP, and signature scheme B calls for a 32-byte EKM. The client sends Provided and Referred bindings to this IDP, and the Referred binding uses signature scheme A in combination with an EKM length 32 (which does not agree with the signature scheme definition). Is this what you’re proposing as option 4), or did I get it wrong?

v2.43.4 | Report a Bug | By Email | System Status