Discussion:
[kitten] SPAKE pa-hint
Greg Hudson
2018-02-07 01:15:26 UTC
Permalink
Candidate draft changes here:
https://github.com/greghudson/ietf/pull/5/files

For convenience, here is the proposed text. Keep in mind that (as far
as I know) no one currently implements RFC 6113 authentication sets, so
implementations will generally ignore the new section for the time
being.

10. Hint for Authentication Sets

If a KDC offers SPAKE pre-authentication as part of an authentication
set ([RFC6113] section 5.3), it MAY provide a pa-hint value
containing the DER encoding of the ASN.1 type PA-SPAKE-HINT, to help
the client determine whether SPAKE pre-authentication is likely to
succeed if the authentication set is chosen.

PA-SPAKE-HINT ::= SEQUENCE {
groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32,
factors [1] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor
}

The groups field indicates the KDC's supported groups. The factors
field indicates the KDC's supported second factors. The KDC MAY omit
the data field of values in the factors list.

A KDC MUST NOT include a PA-SPAKE-HINT message in a pa-value field;
hints must only be provided within authentication sets. A KDC SHOULD
include a hint if SPAKE pre-authentication is offered as the second
or later element of an authentication set.

The PA-SPAKE-HINT message is not part of the transcript, and does not
replace any part of the SPAKE message flow.
Benjamin Kaduk
2018-02-09 02:21:36 UTC
Permalink
Post by Greg Hudson
https://github.com/greghudson/ietf/pull/5/files
For convenience, here is the proposed text. Keep in mind that (as far
as I know) no one currently implements RFC 6113 authentication sets, so
implementations will generally ignore the new section for the time
being.
10. Hint for Authentication Sets
If a KDC offers SPAKE pre-authentication as part of an authentication
set ([RFC6113] section 5.3), it MAY provide a pa-hint value
containing the DER encoding of the ASN.1 type PA-SPAKE-HINT, to help
the client determine whether SPAKE pre-authentication is likely to
succeed if the authentication set is chosen.
PA-SPAKE-HINT ::= SEQUENCE {
groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32,
factors [1] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor
}
Do we need to repeat and/or modify the security considerations text
about unauthenticated plaintext in the factors portion of a
challenge with respect to the pa-hint contents?

-Ben
Post by Greg Hudson
The groups field indicates the KDC's supported groups. The factors
field indicates the KDC's supported second factors. The KDC MAY omit
the data field of values in the factors list.
A KDC MUST NOT include a PA-SPAKE-HINT message in a pa-value field;
hints must only be provided within authentication sets. A KDC SHOULD
include a hint if SPAKE pre-authentication is offered as the second
or later element of an authentication set.
The PA-SPAKE-HINT message is not part of the transcript, and does not
replace any part of the SPAKE message flow.
_______________________________________________
Kitten mailing list
https://www.ietf.org/mailman/listinfo/kitten
Greg Hudson
2018-02-09 05:31:21 UTC
Permalink
On 02/08/2018 09:21 PM, Benjamin Kaduk wrote:> Do we need to repeat
and/or modify the security considerations text
Post by Benjamin Kaduk
about unauthenticated plaintext in the factors portion of a
challenge with respect to the pa-hint contents?
Proposed text, adding a fourth paragraph to the unauthenticated
plaintext subsection:

Unless FAST is used, any PA-SPAKE-HINT messages included when SPAKE
is advertised in authentication sets are unauthenticated, and are not
protected by the transcript hash. Since hints do not replace any
part of the message flow, manipulation of hint messages can only
affect the client's decision to use or not use an authentication set,
which could more easily be accomplished by removing authentication
sets entirely.
Benjamin Kaduk
2018-02-09 18:11:54 UTC
Permalink
Post by Greg Hudson
On 02/08/2018 09:21 PM, Benjamin Kaduk wrote:> Do we need to repeat
and/or modify the security considerations text
Post by Benjamin Kaduk
about unauthenticated plaintext in the factors portion of a
challenge with respect to the pa-hint contents?
Proposed text, adding a fourth paragraph to the unauthenticated
Unless FAST is used, any PA-SPAKE-HINT messages included when SPAKE
is advertised in authentication sets are unauthenticated, and are not
protected by the transcript hash. Since hints do not replace any
part of the message flow, manipulation of hint messages can only
affect the client's decision to use or not use an authentication set,
which could more easily be accomplished by removing authentication
sets entirely.
Sounds good. Thanks!

-Ben

Loading...