[dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
Sam Hartman <hartmans-ietf@mit.edu> Mon, 22 May 2006 18:02 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FiEjQ-0002pm-51; Mon, 22 May 2006 14:02:16 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FiDiq-0003C1-Fv for dix@ietf.org; Mon, 22 May 2006 12:57:36 -0400
Received: from carter-zimmerman.dyn.mit.edu ([18.188.3.148] helo=carter-zimmerman.mit.edu) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FiDiq-0001Ou-4R for dix@ietf.org; Mon, 22 May 2006 12:57:36 -0400
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 5C56CE000E; Mon, 22 May 2006 12:57:28 -0400 (EDT)
To: EKR <ekr@networkresonance.com>
References: <tslr72mp213.fsf@cz.mit.edu> <868xou831c.fsf@raman.networkresonance.com>
From: Sam Hartman <hartmans-ietf@mit.edu>
Date: Mon, 22 May 2006 12:57:28 -0400
In-Reply-To: <868xou831c.fsf@raman.networkresonance.com> (Eric Rescorla's message of "Mon, 22 May 2006 08:58:23 -0700")
Message-ID: <tsl3bf2ov47.fsf@cz.mit.edu>
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 03169bfe4792634a390035a01a6c6d2f
X-Mailman-Approved-At: Mon, 22 May 2006 14:02:14 -0400
Cc: dix@ietf.org, ietf-http-auth@lists.osafoundation.org
Subject: [dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org
>>>>> "Eric" == Eric Rescorla <ekr@networkresonance.com> writes: Eric> 1. This is not principally a protocol problem but rather a Eric> UI problem. The protocol problems are generally well Eric> understood. If the UI problems are solved, nearly any Eric> protocol will work. In particular, there have been a number Eric> of published designs [1] [2] that have mostly adequate Eric> (though not perfect) protocols, though without complete I agree with you that this is not principally a protocol problem. I'm not sure I agree that this is principally a UI problem; I think it is principally an architecture problem where you need the UI and protocol to cooperate. I also believe that as you point out, the protocol problems are mostly solved. I do think there is still work to do on getting a protocol that is easy to deploy and that for example deals with enrollment, etc. Eric> 2. It's really important to distinguish between different Eric> levels of attack. Conventional phishing attacks rely on Eric> generating a reference which appears to be valid but Eric> actually points at the attacker's site. (This is why SSL/TLS Eric> doesn't help much). Eric> But this is different from attacks in which the attacker Eric> actually intercepts the user's communication. In these Eric> settings, some sort of cryptographic protection for the Eric> channel (a la HTTPS) or the messages (a la S-HTTP) must be Eric> provided. Are there specific places in my document where you believe the distinction is critical? Eric> On a similar note, in current phishing attacks the Eric> attacker attempts to directly extract the user's Eric> password. If C-R mechanisms are used, a dictionary attack is Eric> natural. I assume that's why you wave in the direction of Eric> ZKPPs in S 4.3. However, it's worth asking whether we would Eric> be satisified with a system that was only partly Eric> strengthened against dictionary attacks (see [2] again). Yes, probably. I think we'd be satisfied with many things better than what we have:-) I think we'd like to get a ZKPP, but I think we have no reason to assume the IPR situation will be any better with this effort. Eric> 3. The term "password equivalent" is a bit confusing. See Eric> draft-iab-auth-mech for some discussion of strong versus Eric> weak password equivalent. Your IAB draft seems to be focusing on what is stored rather than on what is transported in the protocol. I don't have a problem if a server stores a weak password equivelant, but I do have a problem if the server stores or even receives a strong password equivelant. Eric> 4. I agree that server authentication is a good, but I'm not Eric> totally sold that it's a necessity. I will work on selling you or revising my position. Eric> 5. You write: Eric> The risk of dictionary attack is always a significant Eric> concern for password systems. Users can (but typically do Eric> not) minimize this risk by choosing long, hard to guess Eric> phrases for passwords. The risk can be removed once a Eric> password is already established by using a zero-knowledge Eric> password protocol. Eric> This is not strictly true. A ZKPP removes the risk of Eric> offline dictionary attack, but not online attack. These Eric> attacks do still get mounted [3] Yes, and I even know that:-) Thanks for pointing out that I was being sloppy. Will fix. Eric> However the risk of dictionary attack is always present Eric> when setting up a new password or changing a password. Eric> Minimizing the number of services that use the same password Eric> and being extra careful to make sure the right server is Eric> used when establishing a password can minimize this risk. Eric> It's not clear to me that this helps, unless you're assuming Eric> a ZKPP. If the attacker can capture a Eric> hashed password or Eric> C-R handshake (which a phisher can generally force in Eric> non-ZKPP cases) then they can mount an offline dictionary Eric> attack anyway. Consider a typical design where the user has Eric> a master password P and then generates per-site passwords as Eric> H(Site-Name || P). In the C-R handshake, the user provides: Eric> H(challenge || H(Site-Name || P). Eric> Dictionary attacking this isn't significantly harder than Eric> dictionary attacking H(Site-Name || P). I'm not sure what you meant by this above. If you mean using different passwords, I meant using different master passwords. I believe that actually does help. But I was assuming a ZKPP in that paragraph, and I believ in the ZKPP case, contacting the right server does help. I will update the text. Eric> 6. You write: Eric> In situations where there is an identity provider that is Eric> separate from the website as a relying party, additional Eric> requirements are needed. The identity provider MUST verify Eric> that the website is a valid relying party for this identity. Eric> Some identity providers will allow anyone to accept their Eric> identity. However particularly for financial institutions Eric> and large service providers it will be common that only Eric> authorized business partners will be able to accept the Eric> identity. The confirmation that the the relying party is Eric> such a business partner will often be a significant part of Eric> the value provided by the identity provider, so it is Eric> important that the protocol enable this. The relying party Eric> MUST prove its identity is the one expected by the identity Eric> provider. Eric> I agree that this is is a likely business goal for identity Eric> providers, but it's not required for protection against Eric> phishing. Really, there are two interests here: Eric> 1. To prove to the user (the guy with the browser) that he Eric> is doing business with an "authorized" provider. 2. To Eric> allow the identity provider to extract rents from the Eric> relying parties. Eric> Neither strictly requires the relying party authenticating Eric> to the identity provider during the transaction. The first Eric> can obviously done by issueing the relying party a long-term Eric> credential. The second can be done by encrypting the Eric> credential under the relying party's key. You don't Eric> necessarily need the identity provider to receive a proof Eric> that the relying party was able to decrypt it. I don't believe that my requirements would require that the relying party talk to the identity provider. I believe that assuming a reasonable set of trust anchors, having the web browser ask the identity provider if the dnsname is allowed to accept the identity. That provides a protocol hook allowing the identity provider to meet the requirement that it MUST confirm the relying party is a valid relying party for the identity. If the relying party later proves that it has a trusted certificate for this identity it meets the second requirement. Can you suggest clarifications to the text? Eric> -Ekr P.S. Thanks for the references. --Sam _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
- [dix] Re: [Ietf-http-auth] New draft on anti-phis… Eric Rescorla
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Nicolas Williams
- [dix] Re: [Ietf-http-auth] New draft on anti-phis… Nicolas Williams
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Eric Rescorla
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Eric Rescorla
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Nicolas Williams
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Eric Rescorla
- [dix] New draft on anti-phishing requirements Sam Hartman
- [dix] Re: [Ietf-http-auth] New draft on anti-phis… Robert Sayre
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Sam Hartman
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Sam Hartman
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Sam Hartman
- [dix] Re: [Ietf-http-auth] New draft on anti-phis… Sam Hartman
- [dix] Re: [Ietf-http-auth] New draft on anti-phis… Sam Hartman
- [dix] Re: [Ietf-http-auth] New draft on anti-phis… Eric Rescorla
- [dix] Re: [Ietf-http-auth] New draft on anti-phis… Eric Rescorla
- [dix] Re: [Ietf-http-auth] New draft on anti-phis… Nicolas Williams
- [dix] Re: [Ietf-http-auth] New draft on anti-phis… Robert Sayre
- [dix] Re: [Ietf-http-auth] New draft on anti-phis… Sam Hartman
- [dix] Re: [Ietf-http-auth] New draft on anti-phis… Nicolas Williams
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Thomas Roessler
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Chris Drake
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Eric Rescorla
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Nicolas Williams
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Eric Rescorla
- Re[2]: [dix] Re: [Ietf-http-auth] New draft on an… Chris Drake
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Eric Rescorla
- Re: [dix] Re: [Ietf-http-auth] New draft on anti-… Eliot Lear