[secdir] Review of OTP Pre-authentication, draft-ietf-krb-wg-otp-preauth-18
"Hilarie Orman" <hilarie@purplestreak.com> Mon, 29 August 2011 06:47 UTC
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3276921F85C4; Sun, 28 Aug 2011 23:47:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wtyxRzw31zjw; Sun, 28 Aug 2011 23:47:32 -0700 (PDT)
Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232]) by ietfa.amsl.com (Postfix) with ESMTP id 70CEB21F85B9; Sun, 28 Aug 2011 23:47:32 -0700 (PDT)
Received: from mx03.mta.xmission.com ([166.70.13.213]) by out02.mta.xmission.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <hilarie@purplestreak.com>) id 1QxveQ-0008TB-Uw; Mon, 29 Aug 2011 00:48:54 -0600
Received: from 166-70-57-249.ip.xmission.com ([166.70.57.249] helo=sylvester.rhmr.com) by mx03.mta.xmission.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <hilarie@purplestreak.com>) id 1QxveQ-0001pQ-1x; Mon, 29 Aug 2011 00:48:54 -0600
Received: from sylvester.rhmr.com (localhost [127.0.0.1]) by sylvester.rhmr.com (8.14.4/8.14.3/Debian-9.1ubuntu1) with ESMTP id p7T6mAXR005857; Mon, 29 Aug 2011 00:48:10 -0600
Received: (from hilarie@localhost) by sylvester.rhmr.com (8.14.4/8.14.4/Submit) id p7T6mAkG005855; Mon, 29 Aug 2011 00:48:10 -0600
Date: Mon, 29 Aug 2011 00:48:10 -0600
Message-Id: <201108290648.p7T6mAkG005855@sylvester.rhmr.com>
From: Hilarie Orman <hilarie@purplestreak.com>
To: secdir@ietf.org, iesg@ietf.org
X-XM-SPF: eid=; ; ; mid=; ; ; hst=mx03.mta.xmission.com; ; ; ip=166.70.57.249; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-DomainKey: sender_domain=purplestreak.com; ; ; sender=hilarie@purplestreak.com; ; ; status=error
X-SA-Exim-Connect-IP: 166.70.57.249
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa02 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ;secdir@ietf.org, iesg@ietf.org
X-Spam-Relay-Country:
X-SA-Exim-Version: 4.2.1 (built Fri, 06 Aug 2010 16:31:04 -0600)
X-SA-Exim-Scanned: Yes (on mx03.mta.xmission.com)
Cc: gareth.richards@rsa.com
Subject: [secdir] Review of OTP Pre-authentication, draft-ietf-krb-wg-otp-preauth-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Hilarie Orman <hilarie@purplestreak.com>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2011 06:47:33 -0000
Security review of OTP Pre-authentication, draft-ietf-krb-wg-otp-preauth-18 Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document defines how to use "one-time passwords" with Kerberos pre-authentication, over a secure tunnel between the client and the key distribution center (the KDC). A secure tunnel mechanism called "FAST", the subject a Crypto eprint paper and another Kerberos RFC, defines the use of cryptography. The OTP system uses its FAST key as part of generating its own one-time keys, and this combination is meant to protect against man-in-the-middle attacks. Although this document seems is in almost all respects well-written, it is difficult to review because of nesting depths of RFCs on which it relies, and because of the "ifs". The narrative description of the protocol has so many "ifs" that it is difficult to keep track of them. There are approximately 100 conditionals. Diagrams might be helpful. The protocol security relies directly on the ability to decrypt a nonce. A nonce sent by the challenging part must be encrypted by the responder using a one-time key that both parties can computer from their shared state. The challenger decrypts and compares to the nonce. This is something that Needham's "prudent principles" warns against, and in this case I cannot discount the advice. This is because the document does not supply exact definitions of cipher functions. Instead, it relies on generic elements of the cipher suite. The key derivation function ultimately depends on the "random-to-key" function of the cipher suite, but even finding this information involves looking at other RFCs and doing Google searches. So, it is difficult to review the security in general, and I cannot dissuade myself from thinking, even after reading the well-done security considerations section, that the authentication method might have flaws. The devil is in the details and the details are generic. In "2.3. PIN Change", we read "Most OTP tokens involve the use of a PIN in the generation of the OTP value." Is there a reference for a common OTP system that uses PINs? An editorial comment about the security consideration re "remaining entropy" ... this is really an issue about secrecy, not information theory, and I would call it "secret information". Reference to "Cryptology ePrint Archive" should include a URL for the archive, which is a service of the IACR (www.iacr.org). Hilarie
- [secdir] Review of OTP Pre-authentication, draft-… Hilarie Orman