[http-auth] AD review of draft-ietf-httpauth-mutual-08
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 12 August 2016 02:18 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE54012B019 for <http-auth@ietfa.amsl.com>; Thu, 11 Aug 2016 19:18:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sONAA4x_Lr0I for <http-auth@ietfa.amsl.com>; Thu, 11 Aug 2016 19:18:07 -0700 (PDT)
Received: from mail-ua0-x22a.google.com (mail-ua0-x22a.google.com [IPv6:2607:f8b0:400c:c08::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D4C5127058 for <http-auth@ietf.org>; Thu, 11 Aug 2016 19:18:07 -0700 (PDT)
Received: by mail-ua0-x22a.google.com with SMTP id 74so22179894uau.0 for <http-auth@ietf.org>; Thu, 11 Aug 2016 19:18:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=AvI/jJ4PrRp02JnUqFdyWU2kUDJUBNw661cnTVdPhCI=; b=VnspvhADqrOxhRIu6JYt06hgUawhHL8ibdgisyJQigtral9lsD9rmY1SvSyW9AlMNv xsLnvgLYbzDxghLxQmtOoEPw2pXLiroJ6VM6aHEIQ1bjxIePdxcXxmtsJVNvsRZKUv2y 99VT8C3VKepHcUMgJwqKPy7WQprc26FbOLiFHQCE99RSmsNlNDhlJz3HzqOByLsKMXOQ Pe2mBLGHEfJbgEhGM5ZCkapyPBhlnQrZSF/Twm+XgeztkQSTaMf3tKK5xBm38v4A6HO5 tYB0a4c3g8QUL3Le4HDbu6KcHzTxGfvFJ2jwCtZ7rj+I8jh26RbZDSoLUTKzWmmxRxlG N5Xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=AvI/jJ4PrRp02JnUqFdyWU2kUDJUBNw661cnTVdPhCI=; b=co6/gsJKhZwFzJMREoKO+h0+8zPqUHE02b2zly1Dx/lDLZAgUrWP3GNBOXrfyCoPoz Rafzt+3cCsRgBOnptYCvfBVS1Y4sMoKwdp+OHDXJa6VMwJVIRjAKriJQ+EAFiebrBthB RtiqjoMXzltSouHdfD8BhouKfbpcqC+HYr4OWwnkRNypyScQDejX8Pu+WqBkfmHymt5d q/pIVPu0pDo59F5ovSHMjlwBLRUavPN8Gg+PE+MTBcOBYwOmduipPDEzIQ3w4TZb1UYH /2fRfSB4+KaAiVLeFt5an2hvT0EkBsi2OpuLuTEjEenvXzBI7zgJlBQoC0OtOCOas/9D ThJg==
X-Gm-Message-State: AEkooutOk4q1QD3grWozKYLgbIWe50kSHApg5iXu+mERK4jjvmuP+T46aSXTPeYtWnqjPSAtydlydW0Hldnjwg==
X-Received: by 10.31.50.86 with SMTP id y83mr6430440vky.81.1470968286294; Thu, 11 Aug 2016 19:18:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.1.228 with HTTP; Thu, 11 Aug 2016 19:18:05 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 11 Aug 2016 22:18:05 -0400
Message-ID: <CAHbuEH5YL=WHfqf7xvUfU8gmmYoJ7ZwD0R=BUfoE1+PT5haqJQ@mail.gmail.com>
To: "http-auth@ietf.org" <http-auth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/NxgkI-6nzvdih3rvY-bnyH9zm7Q>
Subject: [http-auth] AD review of draft-ietf-httpauth-mutual-08
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2016 02:18:09 -0000
Hello, Thank you for your work on draft-ietf-httpauth-mutual-08. I will try to get through my AD review of the accompanying draft tomorrow. I read through the draft and have the following questions. ----- Section 2.1, in the following text: o Authenticated key exchange messages: used by both peers to perform authentication and the sharing of a cryptographic secret. * req-KEX-C1 message: a message sent from the client. * 401-KEX-S1 message: a message sent from the server in response to a req-KEX-C1 message. 1. What does the response mean? Is there a pass/fail message in the response or is this just an ack that the message was received by the server to the client? Then in the following: * 200-VFY-S message: a client-authentication successful response used by the server, which also simultaneously asserts to the client that the server is authentic. 2. Maybe this will be clear as I read further through the draft, but that seems like a lot to assert at once. This note is a placeholder for me in case I do't feel like there is an adequate answer when I get deeper into the draft. ----- Second bullet on page 7: o At this point (5), both peers calculate a shared "session secret" using the exchanged values in the key exchange messages. Only when both the server and the client have used secret credentials generated from the same password will the session secret values match. This session secret will be used for access authentication of every individual normal after this point. 3. I think a word may be missing in the last sentence, can you rephrase it? I'm not able to parse it. ----- In another bullet on page 7: o If the authentication verification value from the client was correct, it means that the client definitely owns the credential based on the expected password (i.e., the client authentication succeeded). The server will respond with a successful message (200-VFY-S) (7). Contrary to the usual one-way authentication (e.g., HTTP Basic authentication or POP APOP authentication [RFC1939]), this message also contains a server-side authentication verification value. When the client's verification value is incorrect (e.g., because the user-supplied password was incorrect), the server will respond with the 401-INIT message (the same one as used in (2)) instead. 4. This last section should specify that the extensive-token indicating an authentication failure must be included. I would also recommend that this information be logged and have that stated in this draft. Since we are pushing for protocols to be encrypted, the use of sniffers to detect errors will continue to fall off and people will need to rely on logs more. I think it would be more helpful to have an accurate log that responds saying the authentication failed (user/password if you don't want to say which). Encouraging richer logs will be more helpful going forward. ----- In Section 7, just to make sure I am reading this correctly: The valid tokens for the validation parameter and corresponding values of vh are as follows: host: host-name validation: The value vh will be the ASCII string in the following format: "<scheme>://<host>:<port>", where <scheme>, <host>, and <port> are the URI components corresponding to the currently accessing resource. 5. By "currently accessing resource", you mean the source system, correct? It might be better to rephrase that so it is clear since this is important to developers. ----- 6. In Section 8, it is the reason parameter of the INIT that lets you know if t is 'valid', correct? Authentication-initializing messages with the Optional-WWW-Authenticate header are used only where the 401-INIT response is valid. It will not replace other 401-type messages such as 401-STALE and 401-KEX-S1. I think it would be helpful to explicitly state what is a valid response unless that is defined already and I missed it? I think it depends on the token or extensive token set in the reason parameter of the INIT message. ---- 7. In section 10.1, if you change "normal responses" to "normal response", it is easier to fix the grammar in the following sentences: This also holds true for the reception of "normal responses" (responses which do not contain Mutual authentication-related headers) from HTTP servers. change to: This also holds true for the reception of a "normal response" (responses which do not contain Mutual authentication-related headers) from HTTP servers. from: Any kinds of "normal responses" MUST only be accepted for the very first request in the sequence. Any "normal responses" returned for the second or later requests in the sequence SHALL be considered invalid. change to: Any kind of "normal response" MUST only be accepted for the very first request in the sequence. Any "normal response" returned for the second or later request in the sequence SHALL be considered invalid. ------ 8. Section 10.1, please consider rewording the following sentences to make it easier to read: o In the same principle, any responses which refer to or request changing to an authentication realm different from the client's request MUST only be accepted for the very first request in the sequence. Any kind of responses referring to different realms which are returned for the second or later requests in the sequence SHALL be considered invalid. ----- 9. In section 17.2, it might be helpful to include a reference to the TLS 1.2 BCP, RFC7525. The bullet might say something like, when TLS 1.2 is used, follow best practices in RFC7525. ----- 10. Section 17.3 is the first place I see a clear motivation for this protocol. It might help to have this stated in the introduction. Although the points about password attacks in section 17.2 leave me questioning how much of an improvement this really is. How much analysis was done on this new method? I know the drafts have been around for a while. I'd have to take another pass at the documents to dig deeper, but would like to know if this analysis was done. Can you make the statement that this is more secure? The motivation for HOBA was clear - getting rid of the use of passwords. Passwords are not sent in the clear, but this isn't stated in a motivation section. It just is part of the protocol and mentioned at the end of section 17.5. It might be helpful to include this in the introduction as well in a motivation paragraph. The abstract saying that, "server truly knows the user's encrypted password" isn't the same as saying that the password is encrypted on the wire and doesn't rely on transport encryption. ----- 11. Section 17.3. I'm not clear on this sentence in the last paragraph: Of course, in such cases, the user interfaces for asking passwords for this authentication shall be clearly identifiable against imitation by other insecure password input fields (such as forms). Common attacks of this nature would be to direct users to a form that isn't the real form. Is it the mutual authentication that helps here? If so, explain how. How is it clearly identifiable against imitation? -- Best regards, Kathleen
- [http-auth] AD review of draft-ietf-httpauth-mutu… Kathleen Moriarty
- Re: [http-auth] AD review of draft-ietf-httpauth-… Kathleen Moriarty
- Re: [http-auth] AD review of draft-ietf-httpauth-… Yutaka OIWA
- Re: [http-auth] AD review of draft-ietf-httpauth-… 大岩寛
- Re: [http-auth] AD review of draft-ietf-httpauth-… Kathleen Moriarty
- Re: [http-auth] AD review of draft-ietf-httpauth-… Kathleen Moriarty
- Re: [http-auth] AD review of draft-ietf-httpauth-… 大岩寛
- Re: [http-auth] AD review of draft-ietf-httpauth-… kathleen.moriarty.ietf