Determining strength of encryption provided by a GSS-API mechanism

To: kitten at ietf.org
Subject: Determining strength of encryption provided by a GSS-API mechanism
From: Alexey Melnikov <alexey.melnikov at isode.com>
Date: Tue, 11 Aug 2009 13:10:47 +0100
Delivered-to: kitten at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/kitten>
List-help: <mailto:kitten-request@ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-post: <mailto:kitten@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915

In continuation of the discussion in Stockholm about what can be done inthe WG that is of interest to implementors, I have one minor request.

I am working on a Cyrus SASL plugin that either uses GSS-API or SSPI.SASL uses a thing called Strength Security Factor (SSF) to determine ifa particular authentication mechanism is allowed by client or serversecurity policy. SSF roughly correspond to the key size for symmetricciphers, with SSF==0 being no privacy and no integrity, and SSF==1 beingintegrity only. (I am not going to defend the concept of SSF, but Ithink it is relatively easy to understand by sysadmins and it seems towork.) Each Cyrus SASL plugin needs to advertise its minimal and maximalsupported SSF, so the maximal SSF is going to be the strength of thestrongest supported symmetric cipher.

What I am missing is some API for retrieving SSF provided by a GSS-APImechanism's gss_wrap() with privacy, as well as for retrieving the bestSSF that can be provided by the mechanism. Is such API alreadyavailable, and if the answer is no, are people interested in working ondefining it?


Thanks,
Alexey

Follow-Ups:
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Love Hörnquist Åstrand

Prev by Date: RFC 5587 on Extended Generic Security Service Mechanism Inquiry APIs
Next by Date: Re: Determining strength of encryption provided by a GSS-API mechanism
Previous by thread: RFC 5587 on Extended Generic Security Service Mechanism Inquiry APIs
Next by thread: Re: Determining strength of encryption provided by a GSS-API mechanism
Index(es):
- Date
- Thread

Determining strength of encryption provided by a GSS-API mechanism

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.