Re: [TLS] password-based authentication (was: Some comments about draft-badra-ecdhe-tls-psk-01)
Chris Newman <Chris.Newman@Sun.COM> Wed, 06 February 2008 21:36 UTC
Return-Path: <tls-bounces@ietf.org>
X-Original-To: ietfarch-tls-archive@core3.amsl.com
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E9B7A3A70C1; Wed, 6 Feb 2008 13:36:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.046
X-Spam-Level:
X-Spam-Status: No, score=-3.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_LOW=-1]
Received: from core3.amsl.com ([127.0.0.1]) by localhost (mail.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J3FlHmb4NIoS; Wed, 6 Feb 2008 13:36:56 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D70C3A6CA1; Wed, 6 Feb 2008 13:36:56 -0800 (PST)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9110C3A70C5 for <tls@core3.amsl.com>; Wed, 6 Feb 2008 13:36:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from core3.amsl.com ([127.0.0.1]) by localhost (mail.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IxQoBSgPXl1I for <tls@core3.amsl.com>; Wed, 6 Feb 2008 13:36:54 -0800 (PST)
Received: from sca-es-mail-1.sun.com (sca-es-mail-1.Sun.COM [192.18.43.132]) by core3.amsl.com (Postfix) with ESMTP id DE0103A6CA1 for <tls@ietf.org>; Wed, 6 Feb 2008 13:36:05 -0800 (PST)
Received: from fe-sfbay-10.sun.com ([192.18.43.129]) by sca-es-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id m16LbbtU029438 for <tls@ietf.org>; Wed, 6 Feb 2008 13:37:37 -0800 (PST)
Received: from conversion-daemon.fe-sfbay-10.sun.com by fe-sfbay-10.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) id <0JVU00H016G45J00@fe-sfbay-10.sun.com> (original mail from Chris.Newman@Sun.COM) for tls@ietf.org; Wed, 06 Feb 2008 13:37:37 -0800 (PST)
Received: from [10.1.110.5] by fe-sfbay-10.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTPSA id <0JVU004IM6QL0940@fe-sfbay-10.sun.com>; Wed, 06 Feb 2008 13:37:36 -0800 (PST)
Date: Wed, 06 Feb 2008 13:37:39 -0800
From: Chris Newman <Chris.Newman@Sun.COM>
In-reply-to: <3285.69.12.173.8.1201747921.squirrel@www.trepanning.net>
To: Dan Harkins <dharkins@lounge.org>
Message-id: <8F42A1342D108CD30BFBAEF8@446E7922C82D299DB29D899F>
MIME-version: 1.0
X-Mailer: Mulberry/4.0.8 (Mac OS X)
Content-disposition: inline
References: <B356D8F434D20B40A8CEDAEC305A1F240511959C@esebe105.NOE.Nokia.com> <87sl15pxnx.fsf@mocca.josefsson.org> <B356D8F434D20B40A8CEDAEC305A1F24052E8740@esebe105.NOE.Nokia.com> <28109.216.31.249.246.1201632747.squirrel@www.trepanning.net> <B356D8F434D20B40A8CEDAEC305A1F24052E8B6C@esebe105.NOE.Nokia.com> <BB08005FCE7305534C205D83@446E7922C82D299DB29D899F> <3285.69.12.173.8.1201747921.squirrel@www.trepanning.net>
Cc: pasi.eronen@nokia.com, tls@ietf.org
Subject: Re: [TLS] password-based authentication (was: Some comments about draft-badra-ecdhe-tls-psk-01)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org
--On January 30, 2008 18:52:01 -0800 Dan Harkins <dharkins@lounge.org> wrote: > > Hi Chris, > > On Wed, January 30, 2008 3:12 pm, Chris Newman wrote: >> Pasi.Eronen@nokia.com wrote on 1/30/08 9:58 +0200: >> >>> Dan Harkins wrote: >>> >>>> Personally I would view a password-based authentication scheme >>>> that assumes the shared key is a low-entropy one or is selected >>>> from a limited set of keys, like a dictionary, as more useful to >>>> the real world. I believe that is the predominant access method >>>> used in the Internet today. >>> >>> Just being curious, what would be the main differences between >>> the authentication scheme you're thinking about, and RFC 5054? >> >> On the protocol side, not much. >> >> On the implementation side, it would roughly double the complexity of a >> typical >> TLS API in order to actually be useful to applications. The password >> verifier >> could be stored in any one of a number of external repositories (LDAP, >> RADIUS, >> DIAMETER, SQL, Liberty, some other SOAP/HTTP mechanism, /etc/passwd, NIS, >> etc) >> and the application would have to provide the TLS stack with >> sophisticated configuration knobs related to these protocols. As a >> matter of efficiency, >> some of these protocols are not cheap so high performance servers will >> have to >> keep a pool of connections, then fetch and cache the information locally. >> Attributes that are peripherally related to authentication or unrelated >> to authentication may also be accessed via these protocols and need to be >> cached >> as well to avoid the need for double-fetching of the same entry. So the >> API >> needs a way to put all sorts of controls on the protocols used to fetch >> this >> data, timeouts, what attributes are of interest, caching parameters, etc. >> Then >> there's need for back-channels to the cache (flushing specific entries on >> provisioning changes) which means hooking up to a notification mechanism >> to the >> caching logic under the TLS stack. > > Why would you put all that cruft into the TLS stack? That's what protocol > layers are for, abstracting out this complexity. Agreed. This doesn't belong in the TLS stack so it shouldn't be in the TLS protocol. > What do you do for supporting certificates? For RFC2885 support do you > have HTTP and FTP support to obtain certificates and CRLs from > repositories built into the TLS stack? Is the entire OCSP protocol part > of your TLS stack? What about CMS? Et cetera. The server I work on only supports client certificates signed by a locally stored CA cert (and locally stored CRLs) for TLS authentication and it's difficult to keep it working because the extra layering through the TLS stack makes it more fragile than other authentication code. There's OCSP support in the TLS stack, but the server doesn't enable it -- it'd probably be problematic since the application would have limited control over the OCSP connections and that won't be viable in a highly scalable server. >> Personally, I think TLS stacks are plenty complex enough without all this >> machinery. As a matter of architecture, I'd rather keep this machinery >> completely separate from the TLS stack and use TLS channel bindings when >> mutual authentication at the application layer is needed. > > Channel bindings are orthogonal to a password-based authentication > protocol. Not for one that does mutual authentication. >> Although I'm dubious of the utility of PSK, it seems mostly harmless to >> the TLS >> stack as long as it's not a password. The primary utility I see for PSK >> would >> be for server->server connections if it's coupled with an SSH-style >> zero-configuration key setup mechanism (I don't see it as having much >> real-world utility without the latter piece). If PSK proves to be useful >> than >> ECC-PSK is also likely to be useful simply because of the improved key >> scalability. > > Dubious utility? Wow. They are arguably the predominant method used for > network access in the Internet today, and for the past umpteen years. I've never seen TLS PSK used so I question your assertion. > One lesson I learned very hard from IKE was that if your protocol does > not handle username/password authentication then people are going to hack > the hell out of it to put it in, to the detriment of protocol security. > Why do you think the "do not validate server certificate" checkbox exists? > Let me give you an actual quote I heard: "to make SSL work". That's why I'd prefer to keep TLS out of the game of application authentication. The TLS stack is too critical as a mechanism to provide an encrypted tunnel (it's debatable if the server authentication in TLS is useful for the reason you cite). IKE got into the game of application authentication because VPNs are the primary deployed use for IPsec/IKE and the VPN application has all the standard application authentication requirements. - Chris _______________________________________________ TLS mailing list TLS@ietf.org http://www.ietf.org/mailman/listinfo/tls
- [TLS] ECDHE_PSK as WG item? Pasi.Eronen
- Re: [TLS] ECDHE_PSK as WG item? Blumenthal, Uri
- [TLS] Re: ECDHE_PSK as WG item? Simon Josefsson
- Re: [TLS] Re: ECDHE_PSK as WG item? badra
- [TLS] Some comments about draft-badra-ecdhe-tls-p… Pasi.Eronen
- Re: [TLS] Some comments about draft-badra-ecdhe-t… Mohamad Badra
- Re: [TLS] Some comments about draft-badra-ecdhe-t… Blumenthal, Uri
- Re: [TLS] Some comments about draft-badra-ecdhe-t… Dan Harkins
- RE: [TLS] password-based authentication (was: Som… Pasi.Eronen
- RE: [TLS] password-based authentication (was: Som… Dan Harkins
- RE: [TLS] password-based authentication (was: Som… Chris Newman
- RE: [TLS] password-based authentication (was: Som… Dan Harkins
- [TLS] Updated version of draft-badra-ecdhe-tls-psk Mohamad Badra
- Re: [TLS] ECDHE_PSK as WG item? Eric Rescorla
- Re: [TLS] ECDHE_PSK as WG item? Pasi.Eronen
- Re: [TLS] password-based authentication (was: Som… Chris Newman
- Re: [TLS] password-based authentication (was: Som… Dan Harkins