Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG document

"Derek Atkins" <derek@ihtfp.com> Mon, 15 December 2014 19:02 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9A191A86E0 for <cfrg@ietfa.amsl.com>; Mon, 15 Dec 2014 11:02:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ytXxLfEQAw3 for <cfrg@ietfa.amsl.com>; Mon, 15 Dec 2014 11:02:12 -0800 (PST)
Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:4830:143:1::3a11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F06F31A875D for <cfrg@irtf.org>; Mon, 15 Dec 2014 11:02:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 89A6CE2036; Mon, 15 Dec 2014 14:02:07 -0500 (EST)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 12106-02; Mon, 15 Dec 2014 14:02:01 -0500 (EST)
Received: by mail2.ihtfp.org (Postfix, from userid 48) id 6AA7FE2039; Mon, 15 Dec 2014 14:02:01 -0500 (EST)
Received: from fe80::ea2a:eaff:fe7d:235 (SquirrelMail authenticated user warlord) by mail2.ihtfp.org with HTTP; Mon, 15 Dec 2014 14:02:01 -0500
Message-ID: <2996e2e44130388e1fdc35f5c3db6ad6.squirrel@mail2.ihtfp.org>
In-Reply-To: <b8f82610b41d95a3b417a78a171e34df.squirrel@www.trepanning.net>
References: <BF9DADF6-003F-454D-8E96-4A28A060CA72@isode.com> <A635D82B-B55C-4574-AB73-D0408853D642@gmail.com> <b8f82610b41d95a3b417a78a171e34df.squirrel@www.trepanning.net>
Date: Mon, 15 Dec 2014 14:02:01 -0500
From: "Derek Atkins" <derek@ihtfp.com>
To: "Dan Harkins" <dharkins@lounge.org>
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/fkEbFcoaz605FAOho0LfzEhlI8g
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Dec 2014 19:02:15 -0000

On Mon, December 15, 2014 1:55 pm, Dan Harkins wrote:
>
> On Mon, December 15, 2014 3:16 am, Yoav Nir wrote:
> [snip]
>> But I would really like to know who needs a PAKE right now. PAKEs
>> require
>> the server to store the cleartext password or a password equivalent,
>> creating a security issue that is potentially worse than sending
>> cleartext
>> passwords through authenticated channels (as in form-based or basic
>> authentication to a TLS-protected server)
>
>   Augmented PAKEs do not require a cleartext password. And any
> scheme that sent a cleartext password over a TLS connection would
> also require "the server to store the cleartext password" so it's not
> clear
> how using a PAKE is "potentially worse".

Actually, no, the server can store the (salted) hash of the password, so
the cleartext password is only available to the server during the time it
takes to generate the (salted) hash and verify it against storage.  So I
would argue that your statement "any scheme..." is clearly incorrect.

-derek
-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant