IETF Logo Mail Archive

Re: [Unbearable] ramifications of longer EKMs

Brian Campbell <bcampbell@pingidentity.com> Thu, 23 February 2017 13:18 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674C11297AC for <unbearable@ietfa.amsl.com>; Thu, 23 Feb 2017 05:18:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QP8CehRUjGE9 for <unbearable@ietfa.amsl.com>; Thu, 23 Feb 2017 05:18:40 -0800 (PST)
Received: from mail-yb0-x22d.google.com (mail-yb0-x22d.google.com [IPv6:2607:f8b0:4002:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EFA6129717 for <unbearable@ietf.org>; Thu, 23 Feb 2017 05:18:39 -0800 (PST)
Received: by mail-yb0-x22d.google.com with SMTP id i66so8723971yba.1 for <unbearable@ietf.org>; Thu, 23 Feb 2017 05:18:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=d0yWMOiM0ESaxQ7pHl4uCHrCai0nflMJWV3yCdcDRQQ=; b=Hcm/2EWGneIGbHSLPQsVf+tu5b4/QYqWaAu6mbT2/nIyVH7lz4IE/Sn1rDxgUNe5tQ IXjmFO8TtDFdQyN+shNKnGavNasMQTrMGpsEnCmDJFSSpJqCNmuKkF02+bmujPFGD6qy t5/x4Grc1gAHfvzRtHzi12074Jgi2OiBgqUds=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=d0yWMOiM0ESaxQ7pHl4uCHrCai0nflMJWV3yCdcDRQQ=; b=JfWQd9aY/oG5EQzZhZ1e7hCyM3F/IiQWlF2VJHPMguqx9rL+cDIt/YExaAKh0MIPnh ZnEEzjBoeBN9PP1A9eygRtTkaUDdJZ0FNWUg+pihrK3yhSXKoe/qPW7Zy+5Ig5fL0aOB kFN2VGh2+6/3kM3w9mZsxKRckfpSry6SgxndmeHQMnGUa4MvmWaTLSQGTOmyJMNhUxC6 dgJDAWyDlJGg4RHnr+Q0iUZCOGKcdLh1SrpTayAyKwss9P6PBqmfGYizvoCSCdxd0CwR moSECl7SARFxBEWpy+1c37Am9ygbCh61ITwslZWUnx3Yh8fJhH95JECw26A5YjNDsnCO qrnA==
X-Gm-Message-State: AMke39mJoum6eIiIsGkKoMR1hBQZqW3zKNlVpaIC3sy72LEm8GupgTsZgLQVxVXx4/tZt8/hJjraiUCwwrGB8DyR
X-Received: by 10.37.78.3 with SMTP id c3mr27024066ybb.180.1487855918785; Thu, 23 Feb 2017 05:18:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.126.131 with HTTP; Thu, 23 Feb 2017 05:18:08 -0800 (PST)
In-Reply-To: <CY1PR0301MB0842026E974F75CE28AA264C8C530@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CA+k3eCTRAdwW9xj2JRcs7LwgXJtWj=zDFrZVGJVLmV-vHuYstw@mail.gmail.com> <CY1PR0301MB0842D765811AA4C37AE332938C500@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCQw4KErXHrQWx=uEmf6OKvp9nGQYiC2nWk4+exorxjDCg@mail.gmail.com> <CY1PR0301MB0842C76A829D345AAC18FB988C530@CY1PR0301MB0842.namprd03.prod.outlook.com> <CY1PR0301MB0842026E974F75CE28AA264C8C530@CY1PR0301MB0842.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 23 Feb 2017 06:18:08 -0700
Message-ID: <CA+k3eCQZKAf7BOWKBDQqBDR63OBKOogyuDT+j1JCqSDU3EUuQg@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: multipart/alternative; boundary="001a113e7fae84489b054932736a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/l0HS-PPJLOM8nmbuKY22GxM-yjE>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] ramifications of longer EKMs
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 13:18:41 -0000

>
> Sure, this design would work. My point is that the tokbind-tls-term
> document cannot require one particular model of TB processing, because if
> this one model does not meet a data center’s requirements/architecture, the
> document is easily ignored. And it would be particularly undesirable to
> lose the “dumb/slim” TTRP model.
>

Are you suggesting that tokbind-tls-term should have more than one model?
Or that the “dumb/slim” TTRP model is most likely to be the desired model?

Backend could pass the TB key parameters to the TTRP, or these could be
> part of the TTRP configuration. All the “dumb/slim” TTRP needs to know is
> TB protocol version and a prioritized list of TB key parameter IDs.
>
Sure, that prioritized list of TB key parameter IDs is still the TTRP
'supporting' them in that it will use them in negotiation.

The TB key parameter IDs the TTRP is willing/able to use will need to be
the intersection of the supported TB key parameters of each of the
backends. This might be cumbersome in some cases but is just the way it has
to be for the “dumb/slim” TTRP model.

Let’s say a client negotiates signature scheme A with the RP, and signature
> scheme A calls for a 64-byte EKM. Then the client negotiates a signature
> scheme B with the IDP, and signature scheme B calls for a 32-byte EKM.
> The client sends Provided and Referred bindings to this IDP, and the
> Referred binding uses signature scheme A in combination with an EKM length
> 32 (which does not agree with the signature scheme definition). Is this
> what you’re proposing as option 4), or did I get it wrong?
>
Yes, that's an accurate description of what I'd proposed as option 4)


On Wed, Feb 22, 2017 at 6:03 PM, Andrei Popov <Andrei.Popov@microsoft.com>
wrote:

> Correction inlineJ.
>
>
>
> *From:* Unbearable [mailto:unbearable-bounces@ietf.org] *On Behalf Of *Andrei
> Popov
> *Sent:* Wednesday, February 22, 2017 4:39 PM
> *To:* Brian Campbell <bcampbell@pingidentity.com>
> *Cc:* IETF Tokbind WG <unbearable@ietf.org>
> *Subject:* Re: [Unbearable] ramifications of longer EKMs
>
>
>
> Ø  I'm not sure I follow this?
>
> Ø  I'd think, if this kind of model was used, a TTRP could do all the TB
> validation work and just expose the TB ID(s) to the backend where they can
> bind to whatever tokens/cookies they are issuing.
>
> Sure, this design would work. My point is that the tokbind-tls-term
> document cannot require one particular model of TB processing, because if
> this one model does not meet a data center’s requirements/architecture, the
> document is easily ignored. And it would be particularly undesirable to
> lose the “dumb/slim” TTRP model.
>
> Ø  The backend apps would only be able to use TB key parameters that the
> TTRP supports but that's pretty much true of the other model too - the TTRP
> still is the one negotiating.
>
> Backend could pass the TB key parameters to the TTRP, or these could be
> part of the TTRP configuration. All the “dumb/slim” TTRP needs to know is
> TB protocol version and a prioritized list of TB key parameter IDs.
>
> Ø  It only defeats the purpose of having per-signature-scheme EKM lengths
> in the case of a refereed TB using a longer EKM than the provided.
>
> Let’s say a client negotiates signature scheme A with the RP, and
> signature scheme A calls for a 64-byte EKM. Then the client negotiates a
> signature scheme B with the IDP, and signature scheme B calls for a 32-
> byte EKM. The client sends Provided and Referred bindings to this IDP,
> and the Referred binding uses signature scheme A in combination with an EKM
> length 32 (which does not agree with the signature scheme definition). Is
> this what you’re proposing as option 4), or did I get it wrong?
>

v2.29.0 | Report a Bug | By Email | System Status