Re: [Cfrg] aPAKE Analysis / Why System-Level-View
Natanael <natanael.l@gmail.com> Tue, 24 September 2019 10:15 UTC
Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8817312004A for <cfrg@ietfa.amsl.com>; Tue, 24 Sep 2019 03:15:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I7hM2DmQ0JiX for <cfrg@ietfa.amsl.com>; Tue, 24 Sep 2019 03:15:42 -0700 (PDT)
Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03B70120043 for <cfrg@irtf.org>; Tue, 24 Sep 2019 03:15:41 -0700 (PDT)
Received: by mail-vs1-xe2d.google.com with SMTP id l2so928591vsr.8 for <cfrg@irtf.org>; Tue, 24 Sep 2019 03:15:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+u2h/+jmXQVQQeyElI7ZQqbToGj4ndNtvEJtChICGDs=; b=FeRWsjKxox46/4yF5PlyHTWeATc6FQnGEpeA7F/qOqVwHCNxdJ9qqYGV9J5QVd85Cn SuiBXecsbYCGj9tNTmEnAF9DGT1iA7nHCokJGed07uEjSTYnEYvU5jEPthnonUKxEwAu JfZZp5Y3FSRJA5uVBZJhNgFL3t+Isc53JCLCC/M6SglFI12lpmwou561zjo5ehD+X3Nq gGHKC5R/86fJ3EuYUDY0YnSDQ0l6DFZ5gnSDVtR/sFp7eFwyVqlq1vo7B/NQBV3BwfvN ew/Oa1xZ/AgzWQAepru8nQpFOPscV9I2wyCSA/D7jkdIihS/hArHUeM1MGWxFDZ3LMlp phpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+u2h/+jmXQVQQeyElI7ZQqbToGj4ndNtvEJtChICGDs=; b=ION4LcKdc/5vYhmRamWkxjeEA66AJxTVm57dGSei5OIqeuJMGTyDFEj0/dIkBuJqlL qMeDB+8tMSeSGXg3xFOiUNJgjcOxJtpvdmNm5CZGaGgUfL/mYvG6J9SP+6E0pyuCQKXW fvAdCY+FLR0KWo/MArMaqg6k396WLRl1FxwKgy3z6R6zpQNfoQjqzbpYLLxXBHlVEt2Q RVdcb4gvfva6FjSgeol1JhUS3lZs9uPs83G80PNn5nsjBecs3k1QvixIvnccf63PPibZ XBSio6JrPL7xVC8cKB8DzY+JjzZZsjF7EJHpMlC627ahbj/8iX3AAEEiZEcs/Yzsrfwu mQJw==
X-Gm-Message-State: APjAAAXK6BP98aJladdKBoZpdF8+VYdrmd3wX00mrZwH1Cx08ujBEWsa DDAyQkitGDLgMjvZQjiZnY9yIYXMOdeiD6vDUeM=
X-Google-Smtp-Source: APXvYqxtT3JWFN3WhvqwgEdkzY5pRzcyexiZiglivMZl4SsjR1ZbNJyW+//LNnPjSBbtcZrLRWGpmJ1PkABw22q5D2A=
X-Received: by 2002:a67:d508:: with SMTP id l8mr1104002vsj.176.1569320140852; Tue, 24 Sep 2019 03:15:40 -0700 (PDT)
MIME-Version: 1.0
References: <VI1PR0501MB22558468E3C0549F452736CC838E0@VI1PR0501MB2255.eurprd05.prod.outlook.com> <CACykbs2-4XVJKZU_f90QN42XH-ec1HoUx02ts19gd3=AjjYTCA@mail.gmail.com> <CAAt2M1-zVqxQNQSts6PZmQrC7dcK4RKdn4vHKh_MeOAAK-=aPg@mail.gmail.com> <8f1cca24-ee64-7999-58bb-b4c206284716@web.de>
In-Reply-To: <8f1cca24-ee64-7999-58bb-b4c206284716@web.de>
From: Natanael <natanael.l@gmail.com>
Date: Tue, 24 Sep 2019 12:15:27 +0200
Message-ID: <CAAt2M19o1XiG14n4WMWpV3MH0SBvLnFbQMg2zEoabC4hsxyeYQ@mail.gmail.com>
To: Björn Haase <Bjoern.M.Haase@web.de>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000088d2e3059349d14f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/AaXeKGEnpFxXjOZqqcfCuvpjERQ>
Subject: Re: [Cfrg] aPAKE Analysis / Why System-Level-View
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 10:15:43 -0000
Den sön 22 sep. 2019 21:32Björn Haase <bjoern.m.haase@web.de> skrev: > > > Being able to trigger a PAKE from a button press on your 2FA hardware > > token would also be a significant UX improvement over many of the > > other options with similar security level. > > > Do I correctly understand that you had in mind: The user first > establishes a normal https:// connection and then presses the 2FA > hardware switch in order to run a PAKE in addition to the previous > certificate-based authentication? > Wouldn't have to be the default, but I'm considering a version of this; If the server tells the client that it supports both hardware 2FA and PAKE, and that they are supported together (and this flag could be cached on the client so it can alert on downgrade), then yes. It would perform HW 2FA auth on button press (may include certificates) and then trigger PAKE. The user types the password and hits OK. Done. > This is not what I assumed. What I had in mind is rather the following > procedure. The server knows its requirements regarding security, etc. . > The user and the browser don't know the required procedure in advance > when connecting. If the server is needing 2FA, it would arrange the > client to provide the aPAKE password entry mask and provide a "Please > press authentication token switch for authentication". > > Did I actually mis-understand your post? > Your approach seems to be slightly different. So the browser first opens the PAKE prompt and you then verify with the token? Presumably the browser informs the user that the current webpage has PAKE support, they click to open the prompt, and confirm with HW 2FA verification? While functionally similar, the difference is in the UX security. With your approach one could more easily get the user password through phishing by showing them fake login prompts (and in a targeted attack, the token could then be stolen). A user that has been successfully taught that the password must only be entered in the prompt after pressing the HW 2FA button will not type their password into phishing prompts. >
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Björn Haase
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Jonathan Hoyland
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Natanael
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Björn Haase
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Björn Haase
- [Cfrg] patent situation regarding hash2curve as u… Björn Haase
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Natanael