[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Compound authentication "issue"

To: SACRED List <ietf-sacred@xxxxxxx>
Subject: Re: Compound authentication "issue"
From: Dale Gustafson <degustafson@xxxxxxxxx>
Date: Sat, 28 Dec 2002 11:31:39 -0600
Cc: Lawrence Greenfield <leg+@xxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sacred/mail-archive/>
List-id: <ietf-sacred.imc.org>
List-unsubscribe: <mailto:ietf-sacred-request@imc.org?body=unsubscribe>
References: <> <> <> <> <> <> <> <3E035441.C4A1A0A5@attbi.com>
Sender: owner-ietf-sacred@xxxxxxxxxxxx

Hi All,

Larry and I exchanged several messages off-list (since it appeared we were
talking about different attacks) and, I think, arrived at a similar conclusion
to that suggested by Stephen earlier:

     "I'm not at all sure that it'd be in our charter to develop any new
     mutual authentication schemes, which is what I believe would be needed
     to properly bind sTLS and DIGEST-MD5."

We agree that my proposed change to bind TLS to digest-MD5 (e.g., by including
the TLS server's certID in the client response) would prohibit an attacker from
transparently relaying the complete digest-MD5 "mutual auth" sequence to some
other (ie., the intended) SACRED credential server.

However, as Larry then points out, the resultant combination-protocol is still
subject to brute force attacks on the digest-MD5 "client response".  This type
of attacker need only capture a single client response and use it to determine
the user's password (via offline dictionary attack).  As a result, any
standardization work necessary to define a new variant of digest-MD5 is probably
unwarranted.

Here is a picture of the attack scenarios under discussion:

 +------------+                +------------+                +------------+
 |  SACRED    |                |   MITM     |                |  SACRED    |
 |  client    |                |            |                |  server    |
 +------------+                +------------+                +------------+
       <----------------------------> <---------------------------->
               TLS session 1                  TLS session 2
       <----------------------------------------------------------->
               digest-MD5 protocol exchange (auth-only)

All of this suggests that some other approach that bolsters the TLS level
"server auth" function would be far more productive for this particular ID.  Use
of digest-MD5 for more than "auth only" might also be an interesting discussion
...

In any event, I don't mean to speak for Larry here -- he'll have to jump in and
add further comments as appropriate.

Regards,

Dale Gustafson

> Lawrence Greenfield wrote:
>
>> --On Friday, December 20, 2002 7:37 AM -0600 Dale Gustafson
>> <degustafson@xxxxxxxxx> wrote:
>>
>> > SACRED clients will include a unique value received from the TLS server
>> > (e.g., during session negotiation) within their digest-MD5 response.
>>
>> DIGEST-MD5 is a mature standard that's already been deployed in other
>> protocols (as a MUST implement for LDAP, for instance).
>>
>> Changing DIGEST-MD5 is definitely a no-go. If you were going to do that,
>> you could just define a new SASL mechanism.
>>
>> Again, due to the properties of DIGEST-MD5 the attack under consideration
>> is thwarted (and I like the proposed text).
>>
>> Larry
>

References:
- Re: Compound authentication "issue"
  - From: Nystrom, Magnus
- Re: Compound authentication "issue"
  - From: Dale Gustafson
- Re: Compound authentication "issue"
  - From: Stephen Farrell
- Re: Compound authentication "issue"
  - From: Dale Gustafson
- Re: Compound authentication "issue"
  - From: Stephen Farrell
- Re: Compound authentication "issue"
  - From: Dale Gustafson
- Re: Compound authentication "issue"
  - From: Lawrence Greenfield

Prev by Date: I-D ACTION:draft-ietf-sacred-protocol-bss-05.txt
Next by Date: [Fwd: sacred -05.txt]
Previous by thread: Re: Compound authentication "issue"
Next by thread: Credential DELETE Operation
Index(es):
- Date
- Thread