IETF Logo Mail Archive

Re: [Unbearable] ramifications of longer EKMs

Brian Campbell <bcampbell@pingidentity.com> Thu, 23 February 2017 23:49 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96F47129C77 for <unbearable@ietfa.amsl.com>; Thu, 23 Feb 2017 15:49:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cQMKO_413w1m for <unbearable@ietfa.amsl.com>; Thu, 23 Feb 2017 15:49:35 -0800 (PST)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9615129C5A for <unbearable@ietf.org>; Thu, 23 Feb 2017 15:49:34 -0800 (PST)
Received: by mail-yw0-x22f.google.com with SMTP id v200so3236589ywc.3 for <unbearable@ietf.org>; Thu, 23 Feb 2017 15:49:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2zzPUiol9MnXgsg7JGMAMja5AP69SFztvZrbJujp+2I=; b=KFiP9FS1mt2SL5azzy7Sm2Bje6Zktyb7ve+ZzT26cLUj2IPLBogbyhQ5hd4emElFDD omaINNJc9RR1ru4mxDoyVLEd948GQnOWw3lbXqpL1ILk2CJYLYnstptbpgo56il1R5ql qckdWeKygz7VIpRGHko04IpeEAvyWPkzAhiGQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2zzPUiol9MnXgsg7JGMAMja5AP69SFztvZrbJujp+2I=; b=TTO6s9LLVs90Ih0K9RgertzmG3LBjfxpRM4/l0pmfrJ87ViF4cChwXPKvNiGLFOON6 9xfTl8Brdj6whHgDmc06hgV7z9wpoHz1sEvQsX9HdyUoX+5oicz4fihXRwTy8MeN37ry IxeqQ54dmk7EGu6VyhjwDNFqKQH2dylcX/VCaDBlO0Wwx0ELh7a2gywH4vSnhIrwNLBE KWIv/Ts8swdyCwbCScRDfq7q4JmMxKboXZ4xc8/darqo98CbpRszefVT0GZ3SKAWvjk+ k+bI3ChBGU/psBYBLY8tMrqzX/5PzzPLBk8DXi27WfknZQ8waeUCOI6ztvY4PHgPV8Qu w7TA==
X-Gm-Message-State: AMke39nsCW595QKZIuH58a1MP9uyz9VEOAe9T+X9s+sQRjU0qjvZ/BeAnTwh5tsAkn82TUb2Gx5efhpMtqemtx+c
X-Received: by 10.129.115.68 with SMTP id o65mr16629613ywc.55.1487893773912; Thu, 23 Feb 2017 15:49:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.126.131 with HTTP; Thu, 23 Feb 2017 15:49:03 -0800 (PST)
In-Reply-To: <CY1PR0301MB08427EB93E5E942C662AF06B8C530@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CA+k3eCTRAdwW9xj2JRcs7LwgXJtWj=zDFrZVGJVLmV-vHuYstw@mail.gmail.com> <CY1PR0301MB0842D765811AA4C37AE332938C500@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCQw4KErXHrQWx=uEmf6OKvp9nGQYiC2nWk4+exorxjDCg@mail.gmail.com> <CY1PR0301MB0842C76A829D345AAC18FB988C530@CY1PR0301MB0842.namprd03.prod.outlook.com> <CY1PR0301MB0842026E974F75CE28AA264C8C530@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCQZKAf7BOWKBDQqBDR63OBKOogyuDT+j1JCqSDU3EUuQg@mail.gmail.com> <CY1PR0301MB08427EB93E5E942C662AF06B8C530@CY1PR0301MB0842.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 23 Feb 2017 16:49:03 -0700
Message-ID: <CA+k3eCTwP0pyKbm=1Lxsdq=BucApD8ezmyJBajLzAAVoTkcAXg@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: multipart/alternative; boundary="001a1149359cdbc5a905493b43d1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/qwD5lts9VQg7TOj10gsElxOhDx4>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] ramifications of longer EKMs
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 23:49:36 -0000

>
> Then what we have in option 4) is an IDP that supports a subset, rather
> than superset, of its RP’s TB key parameters. Which is a known type of
> misconfiguration that can happen between the IDP and RPs.
>

I wouldn't characterize it as misconfiguration but rather just different
domains supporting different sets of TB key params. And could happen even
if the sets were the same but prioritized differently.


> In any case, the TB key parameters negotiation would not be very robust if
> we say that a given signature scheme really requires a 64-byte EKM, but may
> also be used with a 32-byte EKM if the binding is Referred…


The negotiation is only for the TB key parameters for the provided binding.
I'm just suggesting that the EKM length choice for the whole TB message
could be tied to that.  It seemed like an okay simplification at what felt
like a low cost of signing over less data in the case of the referred TB
otherwise using a longer EKM.  You don't seem to see it as okay though and
there's yet to be any other opinions expressed on it. So I can let that
idea go.


On Thu, Feb 23, 2017 at 1:13 PM, Andrei Popov <Andrei.Popov@microsoft.com>
wrote:

> Ø  Are you suggesting that tokbind-tls-term should have more than one
> model?
>
> Alternatively, we may end up with more than one tokbind-tls-termJ.
>
>
>
> Ø  Or that the “dumb/slim” TTRP model is most likely to be the desired
> model?
>
> It seems undesirable to prevent “dumb/slim” TTRPs, regardless of what tokbind-tls-term
> ends up saying.
>
>
>
> Ø  Yes, that's an accurate description of what I'd proposed as option 4)
>
> Then what we have in option 4) is an IDP that supports a subset, rather
> than superset, of its RP’s TB key parameters. Which is a known type of
> misconfiguration that can happen between the IDP and RPs.
>
> In any case, the TB key parameters negotiation would not be very robust if
> we say that a given signature scheme really requires a 64-byte EKM, but may
> also be used with a 32-byte EKM if the binding is Referred…
>
>
>
> *From:* Brian Campbell [mailto:bcampbell@pingidentity.com]
> *Sent:* Thursday, February 23, 2017 5:18 AM
> *To:* Andrei Popov <Andrei.Popov@microsoft.com>
> *Cc:* IETF Tokbind WG <unbearable@ietf.org>
> *Subject:* Re: [Unbearable] ramifications of longer EKMs
>
>
>
> Sure, this design would work. My point is that the tokbind-tls-term
> document cannot require one particular model of TB processing, because if
> this one model does not meet a data center’s requirements/architecture, the
> document is easily ignored. And it would be particularly undesirable to
> lose the “dumb/slim” TTRP model.
>
>
>
> Are you suggesting that tokbind-tls-term should have more than one model?
> Or that the “dumb/slim” TTRP model is most likely to be the desired model?
>
> Backend could pass the TB key parameters to the TTRP, or these could be
> part of the TTRP configuration. All the “dumb/slim” TTRP needs to know is
> TB protocol version and a prioritized list of TB key parameter IDs.
>
> Sure, that prioritized list of TB key parameter IDs is still the TTRP
> 'supporting' them in that it will use them in negotiation.
>
> The TB key parameter IDs the TTRP is willing/able to use will need to be
> the intersection of the supported TB key parameters of each of the
> backends. This might be cumbersome in some cases but is just the way it has
> to be for the “dumb/slim” TTRP model.
>
>
>
> Let’s say a client negotiates signature scheme A with the RP, and
> signature scheme A calls for a 64-byte EKM. Then the client negotiates a
> signature scheme B with the IDP, and signature scheme B calls for a 32-
> byte EKM. The client sends Provided and Referred bindings to this IDP,
> and the Referred binding uses signature scheme A in combination with an EKM
> length 32 (which does not agree with the signature scheme definition). Is
> this what you’re proposing as option 4), or did I get it wrong?
>
> Yes, that's an accurate description of what I'd proposed as option 4)
>
>
>
>
>
> On Wed, Feb 22, 2017 at 6:03 PM, Andrei Popov <Andrei.Popov@microsoft.com>
> wrote:
>
> Correction inlineJ.
>
>
>
> *From:* Unbearable [mailto:unbearable-bounces@ietf.org] *On Behalf Of *Andrei
> Popov
> *Sent:* Wednesday, February 22, 2017 4:39 PM
> *To:* Brian Campbell <bcampbell@pingidentity.com>
> *Cc:* IETF Tokbind WG <unbearable@ietf.org>
> *Subject:* Re: [Unbearable] ramifications of longer EKMs
>
>
>
> Ø  I'm not sure I follow this?
>
> Ø  I'd think, if this kind of model was used, a TTRP could do all the TB
> validation work and just expose the TB ID(s) to the backend where they can
> bind to whatever tokens/cookies they are issuing.
>
> Sure, this design would work. My point is that the tokbind-tls-term
> document cannot require one particular model of TB processing, because if
> this one model does not meet a data center’s requirements/architecture, the
> document is easily ignored. And it would be particularly undesirable to
> lose the “dumb/slim” TTRP model.
>
> Ø  The backend apps would only be able to use TB key parameters that the
> TTRP supports but that's pretty much true of the other model too - the TTRP
> still is the one negotiating.
>
> Backend could pass the TB key parameters to the TTRP, or these could be
> part of the TTRP configuration. All the “dumb/slim” TTRP needs to know is
> TB protocol version and a prioritized list of TB key parameter IDs.
>
> Ø  It only defeats the purpose of having per-signature-scheme EKM lengths
> in the case of a refereed TB using a longer EKM than the provided.
>
> Let’s say a client negotiates signature scheme A with the RP, and
> signature scheme A calls for a 64-byte EKM. Then the client negotiates a
> signature scheme B with the IDP, and signature scheme B calls for a 32-
> byte EKM. The client sends Provided and Referred bindings to this IDP,
> and the Referred binding uses signature scheme A in combination with an EKM
> length 32 (which does not agree with the signature scheme definition). Is
> this what you’re proposing as option 4), or did I get it wrong?
>
>
>

v2.29.0 | Report a Bug | By Email | System Status