Re: [TLS] User Defined Key Pair

"OMAR HASSAN (RIT Student)" <omh1835@rit.edu> Tue, 25 June 2013 21:13 UTC

Return-Path: <omh1835@g.rit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18F2911E814C for <tls@ietfa.amsl.com>; Tue, 25 Jun 2013 14:13:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.928
X-Spam-Level:
X-Spam-Status: No, score=-1.928 tagged_above=-999 required=5 tests=[AWL=1.048, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ftHjx5yZ+Zf for <tls@ietfa.amsl.com>; Tue, 25 Jun 2013 14:13:11 -0700 (PDT)
Received: from sc3app27.rit.edu (sc3app27.rit.edu [129.21.35.56]) by ietfa.amsl.com (Postfix) with ESMTP id 9930021E80D7 for <tls@ietf.org>; Tue, 25 Jun 2013 14:13:10 -0700 (PDT)
Received: from mail-ie0-f175.google.com (mail-ie0-f175.google.com [209.85.223.175]) by smtp-server.rit.edu (PMDF V6.3-x14 #31420) with ESMTPS id <0MOY002SMW9MPB@smtp-server.rit.edu> for tls@ietf.org; Tue, 25 Jun 2013 17:12:59 -0400 (EDT)
Received: by mail-ie0-f175.google.com with SMTP id a13so28843770iee.20 for <tls@ietf.org>; Tue, 25 Jun 2013 14:12:58 -0700 (PDT)
Received: by 10.43.115.3 with HTTP; Tue, 25 Jun 2013 14:12:58 -0700 (PDT)
X-Received: by 10.50.1.37 with SMTP id 5mr9831325igj.29.1372194778501; Tue, 25 Jun 2013 14:12:58 -0700 (PDT)
X-Received: by 10.50.1.37 with SMTP id 5mr9831323igj.29.1372194778410; Tue, 25 Jun 2013 14:12:58 -0700 (PDT)
Date: Wed, 26 Jun 2013 00:12:58 +0300
From: "OMAR HASSAN (RIT Student)" <omh1835@rit.edu>
In-reply-to: <377FB9023E313048955F1A4A54DB21009A5676E9@365EXCH-MBX-P3.nbttech.com>
Sender: omh1835@rit.edu
To: Paras Shah <Paras.Shah@riverbed.com>
Message-id: <CALxQUYH_mR-_KNnER8DQGrpGZvLF4PgP9c8-g-wkhkg1BiDd1A@mail.gmail.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="e89a8f839e935480c904e000fe90"
X-RIT-Received-From: 209.85.223.175
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=U5uxUdKZm5/eH9XaPpmQO5Dx7MW03LSXl65hGx0JXMo=; b=UNXpDu/M7Y3U6oO2NYPW7d5dGlpsqmvw6vEHv6Vjc2kMQ60BsSTJvx2UXrvkzE9ejj j40FllOPHH0Ma1jBi/cCs61D1mkHz6C6kDZLXKXDeGD3fZcgX9tMjWN0KDPzIrAH624Q hGi++bZ3adlcR7siG3URCwYJWOgh6zglKoCdRopL9XO99U1b+2vfJ47+gnuLQ3HkDEb7 aIUKvwMc78MzR5x/K9K3jZdrIiImcOzeRXYxV0mfLJRJA59z7VvyepL0Tt6Q1x/4Qbpo Md6c7YR3j1UpdCEkCB0lBgt4V7hYyJHpnWfZm6wN1viU0oPYKdRdn7UjywlaNRLEO/mx m7qw==
X-Google-Sender-Auth: 7_6D232xPmgXWa8VhZAE4Qiujgw
X-Gm-Message-State: ALoCoQnNkXrZogAfkZ7nHSS56iJp2eZdq7PLu5tTSqdf4JOkVDHPIm4FU2l+Qed1Tzg2SuE4Y6vRSKL11QrZV3B3eWSJM4Y8I5HKahlNP9YrPbT15x3+lTbrhBFDmlaVsgZRqsvAjAfo
References: <CALxQUYGdagDHr+A4EKN5qPD1jZG+dH8PHwb0-fKJVUN_vC1MSg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EE97@USMBX1.msg.corp.akamai.com> <CALxQUYGpcKPOAoZ8J56AoUGx8B3JhdmMche8MdQuqD_S=Y22ZQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EF0E@USMBX1.msg.corp.akamai.com> <CALxQUYF1=oFBk=WZFoey+28j7MV7YvSkAD-YzJSeQ0Dp7uXmEA@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EFFF@USMBX1.msg.corp.akamai.com> <CALxQUYH-4HR7sO2jfxQnbro6+xM5hD_hdW-K_a-Esd9yiZ+oug@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251F1E5@USMBX1.msg.corp.akamai.com> <CALxQUYEeLRxGz=_CO8pMYc4u2rm8u+u6fTiYH_3UMev-pNFC4g@mail.gmail.com> <CALxQUYF_ekkkGuhQdK7mJFJj5HcHJybXJYyvKZ721Qz_k_Td5w@mail.gmail.com> <377FB9023E313048955F1A4A54DB21009A5676E9@365EXCH-MBX-P3.nbttech.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] User Defined Key Pair
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2013 21:13:17 -0000

Hi Paras


If the attacker was masquerading as Facebook, he would get the user’s
public key, signed message, username. The attacker, can then choose a
session key _*of his choice*_, encrypt with public key of user and send it
back. Thereafter, the user is communicating with the attacker instead of
the real Facebook server.

That's one of the main differences between udkp protocol and TLS, the
session key is generated by the server not the by the user, so the attacker
cannot chose a session key of his choice and encrypt it with the user's
public key. You refer to figure 1, 2 of the draft for the flow of messages
between the user and the server.

Besides, even the very 1st time, how do you know that the user is
communicating with Facebook for real to get the server’s current timestamp
for example.****
All values that the client received from the server will be hashed at the
client, and sent back to the server encrypted with the session key, so the
server can validate the hash to make sure that no one manipulate the
values. This is done in the "finish" message.


On Tue, Jun 25, 2013 at 10:35 PM, Paras Shah <Paras.Shah@riverbed.com>wrote:

>  >If  someone pretended to be Facebook, he will receive a public key and
> a signed message. The attacker cannot use this information to log into
> Facebook, because the signed message contains the current >server's time
> stamp, so it's valid only for a few seconds.****
>
> ** **
>
> That is the issue right there. If the attacker was masquerading as
> Facebook, he would get the user’s public key, signed message, username. The
> attacker, can then choose a session key _*of his choice*_, encrypt with
> public key of user and send it back. Thereafter, the user is communicating
> with the attacker instead of the real Facebook server.****
>
> ** **
>
> Besides, even the very 1st time, how do you know that the user is
> communicating with Facebook for real to get the server’s current timestamp
> for example.****
>
> ** **
>
> Paras Shah,****
>
> SSL Security Engineer, ****
>
> Riverbed Technology.****
>
> ** **
>
> *From:* tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] *On Behalf Of *OMAR
> HASSAN (RIT Student)
> *Sent:* Tuesday, June 25, 2013 12:07 PM
> *Cc:* tls@ietf.org
>
> *Subject:* Re: [TLS] User Defined Key Pair****
>
> ** **
>
> Hi Uri,****
>
> ** **
>
> May be I am still not able to clear my point regarding the man in the
> middle attack. ****
>
> ** **
>
> When the user provides the credential information, he will not provide it
> to the Facebook log in page, instead he will go to the menu bar in his
> browser, and run the new plugin which has two tabs: one for log in; and the
> other for enrollment, and in the plugin interface the user will provide his
> credential information.****
>
> ** **
>
> The key pair will be generated inside the browser's plugin, and only the
> signed message, and the username will go to Facebook, no passwords will
> leave the user's browser. When the server receive the username and the
> signed message, it will send the session key encrypted with the user's
> public key.****
>
> ** **
>
> If  someone pretended to be Facebook, he will receive a public key and a
> signed message. The attacker cannot use this information to log into
> Facebook, because the signed message contains the current server's time
> stamp, so it's valid only for a few seconds.****
>
> ** **
>
> And even if the attacker sends the signed message and the username to the
> server, and the server accepted them, the next step is that the server will
> respond with the session key encrypted with the user's public key. How the
> attacker will read the public key if he doesn't have the private key, the
> private key that didn't leave the user's browser.****
>
> ** **
>
> On Tue, Jun 25, 2013 at 7:55 PM, OMAR HASSAN (RIT Student) <
> omh1835@rit.edu> wrote:****
>
> Hi All
>
> >Stephan:****
>
>
> >How you made sure that the user (client) is connected with the intended
> server?****
>
> >Paras Shah:****
>
>
> >That is exactly the question I had. How is Server Authentication done
> with this approach?****
>
> >Rich:****
>
>
> >I don’t see anything in your system that prevents this, either.  It seems
> that replacing your system with self-signed client >certificates would be
> equivalent.****
>
> >Robert:
> >As the proposal has no server authentication, it is surely broken in that
> respect i.e. the client could be lured to any bogus >website masquerading
> as a legitimate one. How would the client know?
>
> I would explain How is Server Authentication done with a practical
> example. Let's name facebook as our website that we need to protect using
> that new protocol.
>
> When I go to facebook, I would receive a browser message telling me:
> "Please use the UDKP protected access (Tools->UDKP Protected Access)!"
> the user will go to the plugin interface, and provide the username,
> password, password confirmation, the plugin will create a file with random
> data stream in the user's usb, and then the user will click on the register
> button.****
>
>
> At that point the plugin will create the key pair based on the random
> file, username, and password. The public key will go to the server with the
> username and a signed message, and the user will be redirected to the
> facebook registration page to complete his registration.****
>
>
> Now the user profile is created on facebook and associated with the user
> public key.****
>
>
> When the user tries to sign in later into facebook, and if he was deceived
> to sign in into a fake website, the user will go to the browser plugin
> interface, and provide the username, password, and select the file from his
> usb. At that point the user will be expecting to see his facebook timeline
> if he is really signing into the real facebook. Note that the user didn't
> provide the credential information to the website but to the browser plugin
> (Tools->UDKP Protected Access).****
>
>
> In our case, the fake website will only receive the username, the public
> key, and the token (ServerHello.random ) signed with user private key, If
> the attacker delivered this message to the facebook server, the server will
> try to read and validate the token using the user public key. If it
> succeeds, it will respond with the session key premaster encrypted by the
> user public key. Because the user private key did not leave the browser,
> the attacker will not be able to read the session key and hence will not be
> able to monitor the traffic.****
>
> So if the user was successfully able to see his timeline, he would be sure
> that he is communicating with the real facebook.
>
> >Robert:
> >Token = enc(ServerHello.random, PrivKey) : The concept of encrypting
> using a private key seems pointless. Don't you mean >signing?
>
> Yes Robert, I mean signing not encrypting. Actually someone told me before
> about that mistake in the previous version, but unfortunately I forgot to
> correct it in the new version. Hopefully in the next version it will be
> corrected. Thank You.
>
> >Juho Vähä-Herttua:****
>
>
> >The whole security of the system seems to be dependant on the security of
> the "browser plugin" and its key generation and encryption algorithms****
>
> I preferred to make the generation of the key pair as a black box, so we
> can focus our discussion on the idea itself, so the question is if we have
> a key generation function that can generate key pair securely based on the
> username, password, and the file selected, would the idea be a good one.**
> **
>
>
> >What if someone detects this enrollment and sends a new public key for
> the user before the user has time to fill all the fields? Sounds like a
> race condition to me.****
>
> The key pair generation is done inside the browser plugin interface, not
> in the website page, so there is no race condition, the communication with
> the website will start after the creation of the key pair.****
>
>
>
> >I don't see how this is different from generating a self signed client
> cert and verifying it with for example HMAC with username+password+question
> derived secret. If you already need a custom >browser ****
>
> >plugin to handle the login, you can put all your custom logic there and
> use standard TLS for the rest.****
>
> You can look at the generated key pair as a client certificate, but I
> preferred to make it as a key pair, so this key pair could be generated
> based on different approaches: security question, file, smart card,
> hardware token.****
>
> Additionally it's not only about custom sign in, it's also about
> eliminating the dependence on the CA, so the session key must be encrypted
> with the user public key not encrypted with a key that claims to be the
> server public key.
>
> >Rich:****
>
>
> >It’s great that you are trying to improve things; don’t get discouraged,
> but this ain’t there yet.  And as a first step to replacing all of
> SSL/TLS?  Nope.****
>
> I am not discouraged at all, but I am still insisting that the security of
> my traffic to facebook must be the responsibility of me and facebook only,
> and not anyone else. And I am doing my best to achieve that. The discussion
> is very useful to me, may be after this discussion we can come out with a
> new final solution to this issue.****
>
> ** **
>
> On Tue, Jun 25, 2013 at 2:29 PM, Salz, Rich <rsalz@akamai.com> wrote:****
>
> Ø  Self signed certificate is very dangerous because the user will not
> have a way to verify the identity of the certificate owner and he could be
> a victim to a man in the middle attack.****
>
>  ****
>
> I don’t see anything in your system that prevents this, either.  It seems
> that replacing your system with self-signed client certificates would be
> equivalent.****
>
>  ****
>
> It’s great that you are trying to improve things; don’t get discouraged,
> but this ain’t there yet.  And as a first step to replacing all of
> SSL/TLS?  Nope.****
>
>  ****
>
>                 /r$****
>
>  ****
>
> --  ****
>
> Principal Security Engineer****
>
> Akamai Technology****
>
> Cambridge, MA****
>
>  ****
>
> ** **
>
> ** **
>