Re: [Cfrg] I like PKEX
Dan Harkins <dharkins@lounge.org> Mon, 04 December 2017 07:26 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 012B5126BF3 for <cfrg@ietfa.amsl.com>; Sun, 3 Dec 2017 23:26:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZSFMHEnCwXAm for <cfrg@ietfa.amsl.com>; Sun, 3 Dec 2017 23:26:33 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 27C81126B7E for <cfrg@irtf.org>; Sun, 3 Dec 2017 23:26:33 -0800 (PST)
Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id 5183410224054; Sun, 3 Dec 2017 23:26:32 -0800 (PST)
To: cfrg@irtf.org, David Jacobson <dmjacobson@sbcglobal.net>
References: <EA0997AC-6EB9-4649-8502-9A185A77760D@akamai.com> <CAL02cgT5hAfoga82Opb20C8sB63Hr4bSxssF+N-o=uPtQCoZZA@mail.gmail.com> <CAMr0u6mP8pscKSBwTxrFYaRvCqAvHKFEwai8m4GbWcNwhkA1Jg@mail.gmail.com> <CAMr0u6mt5i7gz0Pnv=oM6QZYN4aFjmfsa-Dwg=VB-URE5Jp_hQ@mail.gmail.com> <4fa7e777-22e2-264f-1119-8f593b6487ef@sbcglobal.net>
From: Dan Harkins <dharkins@lounge.org>
Message-ID: <29eab276-e60d-1620-54e7-014427673d9d@lounge.org>
Date: Sun, 03 Dec 2017 23:26:31 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <4fa7e777-22e2-264f-1119-8f593b6487ef@sbcglobal.net>
Content-Type: multipart/alternative; boundary="------------E1C5F80D89388C1BBAEBF752"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KPal6Qg9BDYybjIe-z-kIleutcM>
Subject: Re: [Cfrg] I like PKEX
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Dec 2017 07:26:36 -0000
Hi David, On 12/2/17 7:46 PM, David Jacobson wrote: > I'm not a web protocol expert, nor a PKEX/PAKE expert, so what I'm > about to mention might be already solved. > > 1. I'd like some advocates of PKEX/PAKE to give a brief explanation > of what has to be added to browsers to make this work. And, in > particular, how can the end-user be sure that the thing asking for her > account number and password is the genuine browser implementation of > the client side of PKEX or PAKE, not some imposter? The only way the PAKE can succeed is if both sides know the same password. The advantage an attacker gains against the PAKE is based on interaction and not computation so as long as the user limits the number of "oh I must've fat-fingered my password, let me try again" the probability that the other side is not genuine can be acceptably low-- it would be n/d where n is the number of "oh I must've fat-fingered..." attempts attempted before giving up and d is the size of the pool from which the password was drawn. > 2. How do you bootstrap the security? The connection can't be > secure until the client presents some credentials. But the client > doesn't want to send credentials in the clear during the setup. And > the client wants to be certain that the entity she is communicating > with is genuine. So it looks like we have to use the present > protocols for creating an account. So we haven't really gotten rid > of having to trust a CA. Yes, this is a problem, we can't create security out of whole cloth. Depending on the site the password could be set up face-to-face (think of a bank) or maybe sent via SMS (think a social media sight). There is no need for a CA though because the password, once established, is parlayed into a trusted public key. Once PKEX is finished the password can be thrown away, or even exposed. It is of no use anymore. The public key is now used. Why do PKEX if you're gonna bootstrap the whole thing face-to-face? Well, a password is a more natural credential than a public key. It would be possible to do a PGP web of trust type of interaction to exchange trusted public keys at the bank but that level of sophistication is beyond your random teller and your random bank customer. Giving an 8 character password (abcd-wxyz) would be easy for teller to provide and for the customer to understand how to use-- just enter it next time he or she points a browser to the bank's website. > 3. And a similar problem arises around anonymous browsing. Suppose > our end user wants to browse women's apparel and wants to look around > and not identify herself unless she sees something she likes and wants > to buy it. There are many people who advocate using HTTPS for > everything to make it hard for an attacker to inject a malicious web > page. But with PKEX/PAKE the client either has to fall back on > present protocols or be vulnerable to injected attacks until she has > decided to reveal her identity. This isn't a solution to the problem of anonymous browsing but I would imagine that in the scenario you describe that if the sight was willing to support that sort of thing the HTTPS connection could be set up with server-side only authentication where the woman browsing authenticates the website with the public key she obtained earlier from her run of PKEX. Then she can anonymously browse to her heart's content until she finds something and then when she goes to purchase the selected item(s) will do another run of TLS this time with mutual authentication where she presents her public key, the one she provided during her run of PKEX, as part of client authentication. regards, Dan. > --David Jacobson > > > > > On 11/15/17 11:31 PM, Stanislav V. Smyshlyaev wrote: >> Though, unfortunately, I am not aware of any online banking systems >> or messengers that use PAKEs for user authentication, I'd like to >> mention (hope you consider it interesting) that there are some >> existing cloud signature solutions (digital signature servers) in >> Russia that use one of PAKEs to authenticate users to their private >> keys stored in a cloud - in a way that is pretty similar to the one >> that has been mentioned by Rich. >> >> >> Best regards, >> Stanislav >> >> >> 2017-11-16 15:23 GMT+08:00 Stanislav V. Smyshlyaev <smyshsv@gmail.com >> <mailto:smyshsv@gmail.com>>: >> >> In fact, PKEX (password-authenticated key exchange protocol by >> Dan Harkins, https://tools.ietf.org/html/draft-harkins-pkex-04 >> <https://tools.ietf.org/html/draft-harkins-pkex-04> - for >> Richard), as all secure PAKE protocols can help to upgrade most >> cases of authentication, when some shared secret (password or, as >> in Rich's example, an account number), to solutions which do not >> require having a primary trust to someone you're authenticating to. >> >> I'd also like to see PAKEs in the messengers, as I commented >> during the CFRG meeting yesterday. >> >> >> 2017-11-16 15:21 GMT+08:00 Richard Barnes <rlb@ipv.sx >> <mailto:rlb@ipv.sx>>: >> >> Sorry, what is PKEX? >> >> On Thu, Nov 16, 2017 at 3:11 PM, Salz, Rich <rsalz@akamai.com >> <mailto:rsalz@akamai.com>> wrote: >> >> I think the PKEX stuff is very interesting. It inverts >> the trust model used on the Web. Suppose I want to do >> some online banking with mybank.com <http://mybank.com>. >> My browser checks the server cert, and decided to trust >> it if the CA verifies the identity. I then type my name >> and password into the website. There is a risk if I end >> up at the wrong website. >> >> With PKEX, I can use my name and password and the bank >> can use something like my account number or other similar >> info, and we exchange and get a shared secret. We then >> use that secret to get an authenticated ECDSA key and >> then I switch to TLS and get its benefits. No >> third-party trust is needed. >> >> I think this solves an interesting use-case and it would >> be nice to have it in our toolbox. >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org <mailto:Cfrg@irtf.org> >> https://www.irtf.org/mailman/listinfo/cfrg >> <https://www.irtf.org/mailman/listinfo/cfrg> >> >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org <mailto:Cfrg@irtf.org> >> https://www.irtf.org/mailman/listinfo/cfrg >> <https://www.irtf.org/mailman/listinfo/cfrg> >> >> >> >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg > > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] I like PKEX Salz, Rich
- Re: [Cfrg] I like PKEX Richard Barnes
- Re: [Cfrg] I like PKEX Salz, Rich
- Re: [Cfrg] I like PKEX Stanislav V. Smyshlyaev
- Re: [Cfrg] I like PKEX Stanislav V. Smyshlyaev
- Re: [Cfrg] I like PKEX David Jacobson
- Re: [Cfrg] I like PKEX Stanislav V. Smyshlyaev
- Re: [Cfrg] I like PKEX Dan Harkins