IETF Logo Mail Archive

Re: [Cfrg] aPAKE Analysis

Björn Haase <bjoern.m.haase@web.de> Tue, 17 September 2019 17:12 UTC

Return-Path: <bjoern.m.haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 103A61200EC for <cfrg@ietfa.amsl.com>; Tue, 17 Sep 2019 10:12:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P31hPyExAnLt for <cfrg@ietfa.amsl.com>; Tue, 17 Sep 2019 10:12:47 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.17.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BACD812008A for <cfrg@irtf.org>; Tue, 17 Sep 2019 10:12:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1568740359; bh=dklPtonbkCNpvb2GU9orVId77Znx72cZRZPJSVeXxB0=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=WVC2Q/FyGScXZWUIVjf/IRJyDudJ9O9YN3tyNsjn7WuTSGTBQU/aHeINoJjhYzVtF CP5fVp2+a//J2vST6wF2OAgzOKBPbIe35R2tuHfOZ0jI1a4mlINyrjumvUlosMw9BN OIetX5M9vTIp8sAdV/TV70spTQaHMnSwmDRsdVvA=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.2.161] ([188.99.139.172]) by smtp.web.de (mrweb103 [213.165.67.124]) with ESMTPSA (Nemesis) id 0LaCbS-1hnu7E1mCE-00m1bi; Tue, 17 Sep 2019 19:12:38 +0200
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>, cfrg@irtf.org
References: <1000404210.104219.1568701269003@email.ionos.com> <CACykbs3Bk40DpPb56SRXZJMHstUQqsT-n-Gkntrb0bhNss=zPw@mail.gmail.com>
From: Björn Haase <bjoern.m.haase@web.de>
Message-ID: <69b5533a-29ea-a92d-260c-43bb7f80b7b2@web.de>
Date: Tue, 17 Sep 2019 19:12:32 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CACykbs3Bk40DpPb56SRXZJMHstUQqsT-n-Gkntrb0bhNss=zPw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:2DH28x0gIrM/n1l7z7RBgMOk4xJWvbuwnhMafNX8PFrUrcJq/pr nirxG+sMmdkg4IPqcfBaTLUe9S5U1CmmAUF7W3lYSdJAdxEabudZMHa5pdf9qvjWa4QrsRG LY/GTc4zW+8TS/ih187AstVmqhAiU3Oa5fvHZRieAIAjXecgyoPrtt7FCms52hb3ithM4ZX 8lOFO9380jnKpST7/dsyw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:D49jh/JZKpo=:m6K+HVZkFplR6FQI7BVFkM d6WYFWjoy55gsgwWabOrEuM8FxgnzmDYRimDjYmeqgeMvhYZd3+LRGYFYHuTK849lLpy2Q4Bb 5Gf/i6eW92u0zvZesOHCfJ40LdOqv5yQ5ERE5yx8ayFHrWU5KT7dY3xBfGYyyr0Pc37sRab13 16XcpRiJlWZsab4ze3QAWDGkQyti/kzu1AZa9MuJZzuAFwJcuo+3t5Is07yoJntMGSe+gTbEo 4OytZwTEnVe/dD3JYkRv66LOV/XNYaGEUnr0f7vy+aavPxUp6QK3LCqDYdDa94eBOpexOcVoj n6CKzVsgPnNZ3V3rvDTKxni9Lm6khDhIoMp37t1B95IiZbLGVLzWT6eLD+rpLA8kYOvdj4Mrk TWAWZq1mXdGt8GwdiWXV654llwLyPOG1Ll3W10ygNgg6LYbEIRenOuW8/U7fcPoNMzL0HXaPV PDvEplZnIsmZ21eT7IbpA3Sm9dsLI/ANVZsDPN+UBqvFhdt6difkMnjfQEKdqnL8W6eJ3BGrx q2PI6IV4Y91Iglc46pfY0lIQapG6+gowzhW7zxiAHXmvQpTcfck+0V7DRojWBdnZwXHuzet7V t8M0qLxzpP7go1j6CdHJFP9opd/Nj6HIgtaa3Gr20IlkiqQpy1xaiP8S60Enf4MVdlVpa6SsT z5CT0Qqvb2ehQJun30QK+aFDHdr+nwpM/lBoubsuBTu9I/0H5G+FBBGVvm/Ym5gKmN552Th6l 8qncg6xceI1tigaIID2wZJWiGw+szT+wbW/MiGo6HKmNY+W3pXqqKpSbWc3jpOph9E2HnVITs Wt+JDT9/psAOBAwmuRqS3XaIobcQ8Tk6Q7PigNiFRmNYbC8pi3UoqSrtSzi8PF3rb5X7MPJWl Nobyfyr0H3gTjoawkl5cXe52om9sZkotLwl/SK8KRPoGsDBCzYFZrux+mw45HGDLfDClTlCDI uCE0U6lftV6pQb0oKmmjISSWU9OxDx2Vu+PxVxooJjoG5Ka4v74IR4I0gJu9X5CfbyHZz7QMs y6JbsvyCa1KQWq004DRxxpxxfgUtTJ697rsYgydsb807d+GIdCskx/fbHKbnYHOyFtJ7dcfli P+XuM3uPRgGaHMdCrsNtdG8i8nG4cRoTZMRaKsTlJ4HZwX7gKWIl36ajLAEkIDZAzlevpP54p AHZDgUkxd9T2jnf1MaXr7/NSkRKtu/9F1N1bvRCRI9x6eSQI4RxaqqfTMHxCzlw2hpSxd4vO7 wHdNxB4xZyv7YQmNwcgSHpOJ+HXknwSAyz1vXYK4ATf9vGKO0YTrOWQASmWs=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/QA7gUeSD3XYkPw5GTbKs1Obw3Kg>
Subject: Re: [Cfrg] aPAKE Analysis
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 17:12:49 -0000

Hi Jonathan,


> The issue with AuCPace is that it's complicated to bind to TLS without
> adding two round trips, but I'm sure the issues aren't insurmountable.
>
The question that is in my opinion not yet really answered is, how far
we aim at supporting the "human-user" login support for TLS. Once you
are dealing with passwords you *have* to answer also questions such as

- How does the application trigger a re-authentication?

- How would the user be changing his passwords?

- How would we be adding users?

In my opinion, there should be some "security subsystem" clearly
separated from the normal "application" that handles the "functional
code". My main job is design of explosion-protected intrinsically safe
electronics. There we make a clear distinction between the "functional
subsystem" and the "intrinsic safety subsystem" which we try to keep as
separate as possible in order to avoid the risk of accidental hazards.

I think such type of a concept would be also very helpful for an
application with security needs.

For handling passwords, I see the need for the "security subsystem" to
arrange for all of the rather complex configuration topics (password
changes, user management, re-authentication, change-privileges, etc.). 
A comprehensive solution (where PAKE is nothing but one important
building block) will need far more than what we would be willing or able
to offer by the TLS component.

For this reason, I am advocating to rather design TLS to be one
important but rather small building block which provides interfaces to
other components which in its entity would provide the "security
subsystem". For this reason, I am rather suggesting to do two things

- Integrate a balanced PAKE such as CPace into TLS

- At the same time provide the necessary interfaces to TLS such that we
could build up an augmented and pre-computation-attack resistant PAKE on
top of CPace. This is essentially, what I am suggesting to do with
AuCPace. The "Au"-Part would end up in components such as Linux's PAM
(server side) and password managers (client side) and the "CPace" part
would become integral part of TLS.

This would also solve the round-trip problem in my opinion. Note that
the fact that AuCPace could also run in a conventional
non-precomputation-attack-resistant mode, would make it possible to use
it with today's form of PAM-style user credential databases. If PAM gets
upgraded one day, one could also offer pre-computation-attack resistance
in a second step.

Yours,

Björn.

v2.23.0 | Report a Bug | By Email