RE: [TLS] Review of draft-santesson-tls-gssapi-00

To: <stefans at microsoft.com>
Subject: RE: [TLS] Review of draft-santesson-tls-gssapi-00
From: <Pasi.Eronen at nokia.com>
Date: Tue, 20 Mar 2007 15:13:03 +0200
Cc: tls at ietf.org
In-reply-to: <A15AC0FBACD3464E95961F7C0BCD1FF01EEDFC6F@EA-EXMSG-C307.europe.corp.microsoft.com>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <A15AC0FBACD3464E95961F7C0BCD1FF01EEDF5A8@EA-EXMSG-C307.europe.corp.microsoft.com><200703081752.SAA13445@uw1048.wdf.sap.corp><A15AC0FBACD3464E95961F7C0BCD1FF01EEDF84A@EA-EXMSG-C307.europe.corp.microsoft.com><861wjyfnmp.fsf@delta.rtfm.com><A15AC0FBACD3464E95961F7C0BCD1FF01EEDF88A@EA-EXMSG-C307.europe.corp.microsoft.com><86fy8ee7g5.fsf@delta.rtfm.com> <A15AC0FBACD3464E95961F7C0BCD1FF01EEDFC6F@EA-EXMSG-C307.europe.corp.microsoft.com>
Thread-index: AcdiY7lJoKRQ2U67QoOjcWIzSPZdQgCWjgAwAYxw6jA=
Thread-topic: [TLS] Review of draft-santesson-tls-gssapi-00

Stefan Santesson wrote:

> > As for taking security out of the picture, that was your claim not
> > mine. For me, this state machine issue *is* a security issue and
> > it's not purely an issue of establishing a key with a sufficiently
> > strong algorithm.
> 
> What other security issue than the strength of the key is there?
> TLS does not require any user authentication, so any added 
> technology here can only be positive if the alternative in anonymous.
> 
> Regarding key strength, I think all cryptographic experts 
> would agree that:
> 
> Good key XOR bad key = good key
> 
> At least if they are produced independent of each other, e.g.  that
> the bad key is not actively selected with knowledge of the good key
> to cancel it or make it bad.  Following this logic, you can safely
> have another process creating a key of un-known strength and XOR it
> with the "good" key of TLS, and preserve the security level of TLS.
> 
> This simple assumption, makes the security impact very easy 
> to analyze with respect to cryptographic strength.

I'm not sure what Eric had in mind here, but I don't think key
strength is the issue here. As we found out with e.g. PEAP and IKEv2,
adding a new layer or round of authentication can *reduce* security 
if the layers/rounds are not coupled together in the right way.
This *is* a big deal!

(I'm referring to the "Man-in-the-Middle in Tunneled Authentication"
paper by Asokan, Niemi and Nyberg; and related work.)

I think Eric's concern was that the proposal would be easier to
analyze if the interaction between current TLS state machine and
GSS-API would be done in some other way that in the current draft.

<snip>
> If it would not turn out to be a big deal, we have a significant win
> here by allowing numerous non-PKI based authentication technologies
> to be used with TLS. That is a "big deal".

No disagreement from me here...

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Stefan Santesson

References:
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Stefan Santesson
- Re: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Martin Rex
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Stefan Santesson
- Re: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: EKR
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Stefan Santesson
- Re: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: EKR
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Stefan Santesson

Prev by Date: RE: [TLS] TLS 1.2 and hash agility for signatures
Next by Date: [TLS] Re: AES-GCM drafts as WG items
Previous by thread: RE: [TLS] Review of draft-santesson-tls-gssapi-00
Next by thread: RE: [TLS] Review of draft-santesson-tls-gssapi-00
Index(es):
- Date
- Thread

RE: [TLS] Review of draft-santesson-tls-gssapi-00

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.