[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New GS2 design -- much simplified, and simplified SCRAM

To: Arnt Gulbrandsen <arnt@xxxxxxxx>
Subject: Re: New GS2 design -- much simplified, and simplified SCRAM
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Sat, 28 Feb 2009 13:38:36 -0600
Cc: Ned.Freed@xxxxxxx, Jeffrey Hutzelman <jhutz@xxxxxxx>, Dave Cridland <dave@xxxxxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <uNZE3Kt4rhJpolJTjEBWSg.md5@xxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <20090223165123.GF9992@xxxxxxx> <01N5U5RXV61I00007A@xxxxxxxxxxxxxxxxx> <20090223212132.GU9992@xxxxxxx> <01N5YADLXAEG00007A@xxxxxxxxxxxxxxxxx> <20090226193157.GW9992@xxxxxxx> <01N5ZYEVIJKE00007A@xxxxxxxxxxxxxxxxx> <20090228000357.GN9992@xxxxxxx> <BD8F14EEF463E3586516A57F@xxxxxxxxxxxxxxxxxxxxxx> <20090228042410.GQ9992@xxxxxxx> <uNZE3Kt4rhJpolJTjEBWSg.md5@xxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mutt/1.5.7i

On Sat, Feb 28, 2009 at 12:51:50PM +0100, Arnt Gulbrandsen wrote:
> Nicolas Williams writes:
> >Chris said that he wants channel binding and no sec layers, but later 
> >it was pointed out that not every implementor is ready to do channel 
> >binding to TLS at this time, so I *think* we have consensus that 
> >SCRAM should provide at least an integrity sec layer.
> 
> SASL security layers haven't succeeded. I don't know why. If you know 
> the reasons why, and they don't apply to SCRAM (as implemented by 
> randoms, not by ietf-sasl regulars), then fine. Otherwise it's just a 
> dead feature.

Never minding the fact that I use them...  This is what SCRAM/GS2 would
look like without sec layer support in GS2:

      C: Request authentication exchange (not a GS2 message, but a SASL
one)                                                        
      S: Empty Challenge                                                                                                            
      C: T  n=Chris Newman,r=ClientNonce                                                                               
         ^  ----------------------------
         |     SCRAM message
	 |
	 GS2 field compressing the RFC2743 header; constant for SCRAM

         The channel bindings data will have been:

            SCRAM-CB T <actual TLS channel binding, if any>
            ^^^^^^^^ ^
            |        |
            |        A copy of the header in front of SCRAM                                                                    
            |                                                                                                                       
            |                                                                                                                       
            Mech name, effectively constant, provided by the app and
            likely taken from server's SASL mech list.

      S: r=ClientNonceServerNonce,s=PxR/wv+epq,i=128
         -------------------------------------------
            SCRAM message                                                                                                   

      C: c=0123456789ABCDEF,r=ClientNonceServerNonce,p=WxPv/siO5l+qxN4
         -------------------------------------------------------------
            SCRAM message
      S: v=WxPv/siO5l+qxN4
         -----------------
            SCRAM message
      C: Empty message
      S: Outcome of authentication exchange (not a GS2 message, ...)

That means:

 - A single constant is used as a header to just one SCRAM message.

 - The mechanism name and a constant is used as a header to the channel
   binding data.

 - We still have two mechanism names: the server advertises only one of
   them, indicating whether the server supports channel binding.

   This and putting the mechname used into the channel binding is NOT an
   artifact of GS2 -- a pure SASL SCRAM would still need this.

The channel binding flag is gone -- the server can try to validate the
client's HMAC both, with and without channel binding data (but always
with the GS2 channel binding header).

Nico
--

Follow-Ups:
- Re: New GS2 design -- much simplified, and simplified SCRAM
  - From: Chris Newman

References:
- Re: New GS2 design -- much simplified, and simplified SCRAM
  - From: Nicolas Williams
- Re: New GS2 design -- much simplified, and simplified SCRAM
  - From: ned+ietf-sasl
- Re: New GS2 design -- much simplified, and simplified SCRAM
  - From: Nicolas Williams
- Re: New GS2 design -- much simplified, and simplified SCRAM
  - From: ned+ietf-sasl
- Re: New GS2 design -- much simplified, and simplified SCRAM
  - From: Nicolas Williams
- Re: New GS2 design -- much simplified, and simplified SCRAM
  - From: ned+ietf-sasl
- Re: New GS2 design -- much simplified, and simplified SCRAM
  - From: Nicolas Williams
- Re: New GS2 design -- much simplified, and simplified SCRAM
  - From: Jeffrey Hutzelman
- Re: New GS2 design -- much simplified, and simplified SCRAM
  - From: Nicolas Williams
- Re: New GS2 design -- much simplified, and simplified SCRAM
  - From: Arnt Gulbrandsen

Prev by Date: Re: New GS2 design -- much simplified, and simplified SCRAM
Next by Date: TLS channel bindings specification exists
Previous by thread: Re: New GS2 design -- much simplified, and simplified SCRAM
Next by thread: Re: New GS2 design -- much simplified, and simplified SCRAM
Index(es):
- Date
- Thread