IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

Ralf Skyper Kaiser <skyper@thc.org> Wed, 11 December 2013 16:03 UTC

Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 522101AE01E for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 08:03:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TXo6DevaApM8 for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 08:03:21 -0800 (PST)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id C9C0D1AE028 for <tls@ietf.org>; Wed, 11 Dec 2013 08:03:20 -0800 (PST)
Received: by mail-ie0-f182.google.com with SMTP id as1so11319154iec.13 for <tls@ietf.org>; Wed, 11 Dec 2013 08:03:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uwknjnpzePRsg0+e5jpYOeljmFBTkpKeTwwr5TaZrfA=; b=A9rJbRdaKvrdulBqXOr1m8vHcifWniF49Ugjxjl3mJW7q2DA2eLhY1F8d/earrk1dF 5dup++jOJKtHcG1wADaEbZ3tnCEjHe40LjssSCdSqhi/rtxTpZtOh02jbVtI8YNFVEoq BqT4MWvPpWi0ysvLcS0dKYMCKs7K8gu/cSzC0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=uwknjnpzePRsg0+e5jpYOeljmFBTkpKeTwwr5TaZrfA=; b=aqbeMGERDBsgK3sKGnYwiNpLzMrTG8tPSq/fh9fX+Qt6fZWvNl2km2V72XOiZWst68 xGF3G6zIY28fr9KwBGcr5p2KJSm7VIhfIHkHb5RMwIgZR+Hy+2IFxXG8zskBD//+vb8i dBFwzmugmF/AOzrru5N+7iAP9ZW1su+f/PgBtQqEXduCIq+Y4w0ZbAtWMn5Xf7tKGRWE vv5xt52chKJhF7egyU8b46UyTC+PvpJ4Kc68Bc/Ipv0MI4wONyD7I+diHo1n2TyQuXJ3 RiR3DLkUHBxb03zXSkgL0lt6VEiEhZm9UTQFh0NL7+CM0mmFi9pxUhISroS/zBh4E4fx rlCg==
X-Gm-Message-State: ALoCoQm+Oyo8Q3zlj18yV6aMWwET403DDqEnpwYyjDuVR8ae3EBRjOhK4qYYeOCFMk2wGTVKXFXO
MIME-Version: 1.0
X-Received: by 10.43.0.202 with SMTP id nn10mr1521402icb.54.1386777794860; Wed, 11 Dec 2013 08:03:14 -0800 (PST)
Received: by 10.64.9.41 with HTTP; Wed, 11 Dec 2013 08:03:14 -0800 (PST)
X-Originating-IP: [81.156.248.122]
In-Reply-To: <7a5a264b029777f3c0b2d2f97a362463.squirrel@www.trepanning.net>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <CA+BZK2p70bYGGMjJC-Dm2r4bzP_YzKh0ZODiNvnwVcSDJSLZAw@mail.gmail.com> <7a5a264b029777f3c0b2d2f97a362463.squirrel@www.trepanning.net>
Date: Wed, 11 Dec 2013 16:03:14 +0000
Message-ID: <CA+BZK2pkixVPomewb677rV8j72GXpHsY8YAR8-Qkf4aDAtPveA@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="bcaec5101cbbd86ebf04ed445dbb"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2013 16:03:23 -0000

Hi,

I'm concerned that it will happen in practice: Same password for all users
to authenticate the server.

I feel that the risk should be mentioned under 'Security Considerations'.

"It should be noted that any user with the knowledge of the password can
impersonate the server and perform
a Man-in-the-middle attack against any other user who is using the same
password".

(Maybe some native english speaker can make this sound like Prince Charles
would say it.)

Comments welcome,

regards,

ralf


On Tue, Dec 10, 2013 at 10:06 PM, Dan Harkins <dharkins@lounge.org> wrote:

>
>   Hi Ralf,
>
> On Tue, December 10, 2013 8:45 am, Ralf Skyper Kaiser wrote:
> > Hi,
> >
> > I only joined the conversation recently. Had a quick read of
> > http://tools.ietf.org/html/draft-ietf-tls-pwd-02 and have a question:
> >
> > In a scenario where multiple users use the same password (group
> password):
> >
> > What prevents a user (who knows the password) to impersonating the server
> > and mount a MITM between another user and the real server?
>
>   Nothing prevents that. This protocol is not designed to support group
> passwords. The password credential is assumed to be shared between
> the client and the server only.
>
>   regards,
>
>   Dan.
>
>
>

v2.23.0 | Report a Bug | By Email