[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypto agility in SCRAM + draft-josefsson-password-auth?

To: Hallvard B Furuseth <h.b.furuseth@xxxxxxxxxxx>
Subject: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
From: Jeffrey Hutzelman <jhutz@xxxxxxx>
Date: Mon, 31 Mar 2008 11:01:19 -0400 (EDT)
Cc: Nicolas Williams <Nicolas.Williams@xxxxxxx>, Chris Newman <Chris.Newman@xxxxxxx>, Simon Josefsson <simon@xxxxxxxxxxxxx>, <ietf-sasl@xxxxxxx>
In-reply-to: <hbf.20080331onqh@xxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Sender: owner-ietf-sasl@xxxxxxxxxxxx

On Mon, 31 Mar 2008, Hallvard B Furuseth wrote:

> I think security requires that it can return one list of mechanisms
> which will work and one with mechanisms which might work.  (Both subsets
> of those reachable without mechanism-negotiation, as you say below.)
>
> Otherwise the mechanism-negotiation mechanism could reveal information
> which would not be revealed by the chosen mechanism.  (E.g. over an
> unencrypted connection, with a mechanism which encrypts the exchange.)
>
> The "might work" list would consist of all supported mechanisms which
> would disclose information the admin(?) thinks should be hidden if they
> were sent in the "will work" list, or something like that.
> (If the user does not exist, the "will work" list could still contain a
> suggested mechanism - where authentication would successfully fail:-)

I haven't fully paged this discussion back in yet, but...

I don't think you actually want to distinguish between two lists, because
doing so provides no utility.  I agree that it should be OK to offer
mechanisms that won't actually work for this user.  Doing so increases the
chance that the client will choose one of those, causing authentication to
fail when it could have succeeded, but that's unlikely in practice because
often the client has been configured to expect a particular mechanism.

I believe there is a tradeoff between the "security" of not exposing
information about which mechanisms work for which users and the potential
interoperability problems caused by advertising mechanisms that won't
actually work.  It is appropriate for this tradeoff to be a matter of
policy.

Similarly, there is no problem advertising some set of mechanisms for a
user that does not actually exist, as a way of hiding information about
wich users exist.

The important properties are these:

> > The theory here
> > is that there are no mechanisms which are reachable only via the
> > negotiation mechanism (as would be the case with, for example, GS2+SPNEGO)
> > _and_ any mechanism in the original set which is not offered in the
> > second-level negotiation wouldn't have worked anyway.

-- Jeff

Follow-Ups:
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Hallvard B Furuseth

References:
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Hallvard B Furuseth

Prev by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Next by Date: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
Previous by thread: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Next by thread: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Index(es):
- Date
- Thread