Re: [Cfrg] Proposed PAKE Selection Process // Integration in TLS ?

Natanael <> Wed, 19 June 2019 11:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 79FA01202EC for <>; Wed, 19 Jun 2019 04:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id s7TMaLzS8-kc for <>; Wed, 19 Jun 2019 04:44:46 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9C6FC12011D for <>; Wed, 19 Jun 2019 04:44:46 -0700 (PDT)
Received: by with SMTP id u19so37319940ior.9 for <>; Wed, 19 Jun 2019 04:44:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ceYo1pIvs2CfTi4aEKdI2RdZgGqYkUSFlQjd0nisrj0=; b=RrZnEsdzx6YBQpUqwYiBIScWI/7Q9kQcoRlLCChiZErjsO6iBcl9s34vAbP/e4fnN6 FYt91rqCtsSSZ99WlJ+Es11QjF26vzbDEi8HOL+0viFgNuuWZTq69Vp3bsl6rsgofOYh mWU+Din/sh1uZVSGwPeaRMGfnjfzfTBcQOWXFrqAAGVDiN5BxsRsV5RNgv3oJiSckLHC VSK0GLLHR2lF7FxEUzwsjhB9VohanNcwIwX5e+GxhHPWWw737ZH4VpdaN0pxct8oKtQ6 CcH36yhVoLDOjHSr0bgcHk8V3O2t/VkcACFO6UiXV2eKzh2N2/UjONDAOOoid2D2nVut 78rA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ceYo1pIvs2CfTi4aEKdI2RdZgGqYkUSFlQjd0nisrj0=; b=Pz0wGdsi6XxSE2sBFjY2kJ5FVHSprA1sj+3699I7+Sah+PGuPP+nhFMQpsa5ani/Jo 76c+Qodd6GGUiru6RLw120RCaMlw0tSjHnfkCQadA1yBPZawd8P6hPMe17ZAhzwWxDTP el9VCF9qo5xvu2j29kBMmzmRuKVeGeZWeC/KOSxDyQSMheraopz191umErHME9vzGxKB fIJxQaQB2jfRqdEoozdEcxiF5rtU8IfsPH9OklDofxlekf+g9ykE1h+gl9w6hHDYxjxV Cp1/SlEwzFRe5IVyT8H4SJZnsDLGxDk+DqAWd1dQV5BjjQXAf1pS14D1baa7gIchUpNo x9/g==
X-Gm-Message-State: APjAAAUPwnLzEf5lIdJQVU1yGkLEAGe2DrXE+vUhU7rZaH4N8uTiM+5z 0+qnBvFWSt/KHyplOqA+Qz1HiyNTtysxCszKbmA=
X-Google-Smtp-Source: APXvYqw9FjxOOi+IDMCIUGr/dOuB7sNEwBsrXIyNwZc+aXTl76euZwrN4yWHnpLnQt2cNsBR5pEwCPPKHCBQ5HVSoRE=
X-Received: by 2002:a02:cc6c:: with SMTP id j12mr8545551jaq.102.1560944685805; Wed, 19 Jun 2019 04:44:45 -0700 (PDT)
MIME-Version: 1.0
References: <trinity-24ffcea8-2b91-42e5-9546-f533a825e019-1560936106868@3c-app-webde-bs23>
In-Reply-To: <trinity-24ffcea8-2b91-42e5-9546-f533a825e019-1560936106868@3c-app-webde-bs23>
From: Natanael <>
Date: Wed, 19 Jun 2019 13:44:32 +0200
Message-ID: <>
To: =?UTF-8?B?QmrDtnJuIEhhYXNl?= <>
Content-Type: multipart/alternative; boundary="00000000000082f528058babc1a2"
Archived-At: <>
Subject: Re: [Cfrg] Proposed PAKE Selection Process // Integration in TLS ?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Jun 2019 11:44:50 -0000

On Wed, Jun 19, 2019 at 11:22 AM "Björn Haase" <>

> [...]
> > Eric Crocket wrote:
> >1. We would like to see the standardization of both a standalone scheme
> and its integration into TLS, similar to SRP (RFCs 2945 and 5054) or OPAQUE
> I fully agree with you and also would also like to see PAKE integrated as
> a component in TLS. The important aspect to consider, when doing this, IMO
> will be that we are then integrating components into the TLS stack which
> today mostly are assigned to the "application layer" (which often should be
> expected not to consider security adequately).
> E.g. after a successful TLS-managed login the application on the server
> will need to know which user is just logged-in, e.g. in order to find out
> which authorization rights to attribute to the current session.This means
> that the interface to the TLS system would become somewhat more powerful
> and complex, by providing interfaces regarding user accounts.
> Also for some use-cases, the application will have the need to request a
> re-authentication of a HMI user: Consider, e.g. the use-case of a "Do you
> really want to trigger the self-destruction functionality? Please re-enter
> the password" mask.
> I.e. for the use-case that you did sketch (similar to my use-case U2)  I'd
> see the need for interfaces between the TLS system and the "application
> layer" for
> - Querying which user is logged in and optionally mange authorization
> rights
> - Arranging for a re-authentication upon application request, possibly
> with another account (similar to a "su" shell command on unix systems).
> - Optionally: Managing user accounts (e.g. Password changes, changes of
> authorizations).
> The key question that makes above components mandatory (IMO) is: Does the
> application layer need to consider user accounts with different
> authorization levels?
> In the settings that I have in mind (my use case U2) the answer is:
> Definitely "yes, we need to deal with the complexity of user authorization
> levels."
> How is the situation in your AWS use-cases?
> IMO the aspect of a possibly more complex TLS interface will generate a
> lot of discussions, but this is definitely manageable. We have been doing
> this specifically in our proprietary TLS-like security stack for our
> industrial HMI service app (E+H SmarBlue). The advantage of integrating the
> account management in our security/networking stack is that this way, we
> were able to clearly modularize the software into a security-submodule and
> an application-module.
> [...]

First of all, regarding UX:
If a PAKE were integrated, I would like to see integration in browsers
between WebAuthn (U2F) and the PAKE such that activating the 2FA prompt
also could trigger a secure password prompt from the "user agent" i.e. the
browser (potentially this doesn't need direct integration, if the site
itself can trigger PAKE when it detects successful 2FA authorization).

Consider for example something like Google's 2FA activated login flow:
first enter username, click next. The browser now prompts for verification
with your 2FA hardware token, and you press a button on this device (or
equivalent). After 2FA verification, the web page then shows the web form
for the password entry. But in the integrated PAKE version, the last step
(of pressing the 2FA hardware button) instead opens a PAKE password prompt
via the browser, instead of via a web form. This substantially improves
phishing resistance and related security properties.

Also, in this PAKE prompt, the website should be able to show its site name
/ domain and your entered / remembered username, as a context for what
password to enter.

Any potential integration with other software like password managers is
entirely an implementation issue, for client software like browsers to deal
with on their own.


Second, regarding API:s and authorizations in the client-server model,
(Disclaimer, I'm no expert on these issues, so no guarantees that any of
this is accurate or would be an improvement)

All of that with account information and more seems a bit unnecessarily

Could you not simply treat the PAKE generated session key as a cookie /
token (of which you can have multiple), perhaps with just some basic
metadata attached? So when you log in with PAKE, it could generate a token
with something like a key-value label attached (server specified) to
indicate purpose. This could then allow the application layer to locally
track which accounts and permissions* are associated with the held tokens.

The TLS then layer wouldn't necessarily need to understand what the labels
means (maybe with exceptions, I'm no expert on issues like XSS attacks),
only the application layer needs to understand this. The TLS / PAKE layer
would only be involved in preventing forged / manipulated tokens.

A client which sees that an action requires a new PAKE generated token for
a permission which it lacks can then prompt for a password to be re-entered
through another PAKE prompt. For example, a client would understand that a
login token can't change something like payment data (through application
layer logic).
And some tokens can be single-use (like authorization of sensitive
actions). This simultaneously solves the issue of tracking multiple
permissions for one account as well as multi-account authorization, since
the application layer can associate all of this with the key-value pairs.

* The issue I'm seeing here is when you have a variety of permissions
available, potentially changing over time (without re-running PAKE), and
want to express exactly which are authorized. To keep the TLS layer simple,
my opinion is that this logic should be pushed to the application layer and
thus forcing it to track associated permissions (changes included) for each
singular token (1 PAKE password entry = 1 token + 1 key-value pair).

At most, any deeper integration should stop at letting the server push a
replacement key-value association for active tokens in order to selectively
alter permissions with minimal server side state and without running PAKE
again, assuming the server use some scheme like Macaroons;