IETF Logo Mail Archive

Re: [Ietf-http-auth] Re: [dix] Notes on Web authentication enhancements

Eric Rescorla <ekr@networkresonance.com> Thu, 06 July 2006 19:29 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FyZXa-0000Ve-Mz; Thu, 06 Jul 2006 15:29:34 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FyZXZ-0000VU-W7 for dix@ietf.org; Thu, 06 Jul 2006 15:29:33 -0400
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FyZXY-0000AE-Fo for dix@ietf.org; Thu, 06 Jul 2006 15:29:33 -0400
Received: by raman.networkresonance.com (Postfix, from userid 1001) id 064B21E8C1C; Thu, 6 Jul 2006 12:29:32 -0700 (PDT)
To: Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [Ietf-http-auth] Re: [dix] Notes on Web authentication enhancements
References: <20060619220742.40B85222427@laser.networkresonance.com> <tsl3bdoiq9g.fsf@cz.mit.edu> <86mzbqbwjm.fsf@raman.networkresonance.com> <tslk66qa6wi.fsf@cz.mit.edu>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Thu, 06 Jul 2006 12:29:31 -0700
In-Reply-To: <tslk66qa6wi.fsf@cz.mit.edu> (Sam Hartman's message of "Thu, 06 Jul 2006 15:07:57 -0400")
Message-ID: <86k66qwmzo.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b4a0a5f5992e2a4954405484e7717d8c
Cc: Digital Identity Exchange <dix@ietf.org>, ietf-http-auth@lists.osafoundation.org
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>, Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

Sam Hartman <hartmans-ietf@mit.edu> writes:

>>>>>> "Eric" == Eric Rescorla <ekr@networkresonance.com> writes:
>     >> An additional issue is hijacking: without cryptographic
>     >> binding, an attacker who observes a request can make future
>     >> requests in the name of the user via a cut-and-paste attack
>     >> (remember, the token is bearer). If you take the threat of this
>     >> type of attack seriously, you need to run the traffic over
>     >> SSL/TLS. [1]
>     >> 
>     >> 
>     >> [1] Note that if you're worried about this class of attack, you
>     >> need *every* PDU to be cryptographically bound to the
>     >> credential with all designs. If, for instance, you use
>     >> cert-based auth but then transition to cookies over HTTP for
>     >> state management, there's a cut-and-paste attack there.
>     >> 
>     >> 
>     >> I think the primary paragraph is misleading.  We've started
>     >> from an assumption that there are practical problems that
>     >> prevent server certificates from being validated.  Given this
>     >> assumption I don't understand how TLS actually gives us
>     >> protection against the hijacking.
>
>     Eric> Imagine a case where you have credentials that have CRA but
>     Eric> not HRA. A good example is Boneh's PwdHash, which includes
>     Eric> the domain name of the server in the "password". If it's
>     Eric> restricted to use with SSL/TLS then you know that each RP
>     Eric> will have a unique domain name and therefore each "password"
>     Eric> is unique to a single RP, so there's automatic CRA--if the
>     Eric> user is phished the phisher must pose as a different RP
>     Eric> because he has a different certificate. [0]
>
> This is not true of all credentials that have cra but not ha--or at
> least I don't see why it is.  TLS only provides security because you
> bind the two authentication layers together by using the same naming
> for both the TLS authentication and the higher layer authentication.
> (It also assumes that your CA is trusted; that assumption seems
> consistent with our threat model.)
>
> I was explicitly trying to get at the fact that you needed to do
> something in addition to TLS.  Here you've made the naming be the
> same.

Sorry, I don't see what you're getting at. PwdHash is specified to use
the domain name of the server as the hash salt. RFC 2818 requires
that that domain name match the server's certificate. There's nothing
additional required.


>     >> I also think the footnote ignores an important deployment
>     >> model.  I may be concerned about whether I have reached the
>     >> right RP while not concerned about network level hijacking.  So
>     >> I'm not at all convinced that you always need to protect every
>     >> exchange if you are concerned about hijacking in some
>     >> situations.
>
>     Eric> By hijacking, I mean network level hijacking. If you mean
>     Eric> typos and phishing, then I think this is a different threat.
>
> Can we have a name for that threat, because I thought you were
> lumping the two together.

Uh, I call the other one "phishing" or "credential capture"

-Ekr

_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.8.7 | Report a Bug | By Email