[TLS] Should TLS 1.3 use an augmented PAKE by default?
Andy Lutomirski <luto@amacapital.net> Tue, 18 March 2014 18:16 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A19221A0724 for <tls@ietfa.amsl.com>; Tue, 18 Mar 2014 11:16:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id drlyej9Q0sMo for <tls@ietfa.amsl.com>; Tue, 18 Mar 2014 11:16:26 -0700 (PDT)
Received: from mail-pd0-f172.google.com (mail-pd0-f172.google.com [209.85.192.172]) by ietfa.amsl.com (Postfix) with ESMTP id D17831A0775 for <tls@ietf.org>; Tue, 18 Mar 2014 11:11:25 -0700 (PDT)
Received: by mail-pd0-f172.google.com with SMTP id p10so7459112pdj.17 for <tls@ietf.org>; Tue, 18 Mar 2014 11:11:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=+FzF8+DS80+Htmbu0smI035wlp3/xglXRzA0c+5GG1o=; b=CkTX7IyPLhWhLwbEhFvWo66gZX8gnyXkslxjeO/0Zl/5BLuBuRkqurbE1H78i7t9wf qgvQFRYbbBOI4gbUFjuMsteykYXMQkDmASKULqrgLu/9c2T3DpDi7xFd/Hm/YD90OgbN +i+R9wrFRzuzZ8smBwu1fafblV1rhjyOsbfwL43MZzThWcqdkGCSUkpseWpkNXvvXZfd rn7a1oVNP/s+com+WihwjGN365et+F07mvFaisF2GFytHvArGd+119R8zKMPtdD+IA72 kOzrGNbPZiMuIFEhG6dMSeWQnp2144+Ey+Bq/iXDQnO+eKe1CIrz5w1OUEgfFFkUjx25 As8A==
X-Gm-Message-State: ALoCoQlp5GpZEgya8RZsUJDZGIi3XfUiz7KtgwZd5q+nXyouxxvR87447KXHt20XEhIYMGU3zHwV
X-Received: by 10.66.155.102 with SMTP id vv6mr35023499pab.89.1395166277440; Tue, 18 Mar 2014 11:11:17 -0700 (PDT)
Received: from amaluto.corp.amacapital.net (50-76-60-73-ip-static.hfc.comcastbusiness.net. [50.76.60.73]) by mx.google.com with ESMTPSA id fg12sm91158754pac.28.2014.03.18.11.11.16 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 18 Mar 2014 11:11:16 -0700 (PDT)
Message-ID: <53288C43.9010205@mit.edu>
Date: Tue, 18 Mar 2014 11:11:15 -0700
From: Andy Lutomirski <luto@amacapital.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4gTUuhRa_CO44pd53sW7MYIK8do
Subject: [TLS] Should TLS 1.3 use an augmented PAKE by default?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 18:16:38 -0000
I'd like to see TLS 1.3 solve what I consider to be two major problems in past versions. 1. When clients authenticate with a password, if they send their password to the wrong server, that server learns their password. This is the basis of most phishing attacks. (I'm ignoring TLS-SRP, which is basically unused.) 2. If a client uses a client certificate, the client has to store the private key *and* certificate associated with the certificate. That means that any encrypted form of that certificate is subject to a dictionary attack. Both of these problems can be solved if the default mode of client authentication in TLS 1.3 were an augmented PAKE or a non-key-exchanging equivalent. #1 is addressed directly, and it would even be safe to share passwords between different servers. #2 is also solved: a client certificate could be some identifying information (which does *not* contain a PAKE verifier) and a high-entropy "password" encrypted with a real password. As long as the encryption doesn't provide a way to check whether the key is correct, no one can brute-force the client's password without a round trip to the server for each guess. It might make sense to use similar techniques to authenticate servers to clients. First, symmetry is nice. Second, I think that several of the protocols for doing this kind of authentication are actually *faster* than using digital signatures. Should TLS do something like this? This may fit in with Watson Ladd's suggestions about using something other than conventional DH for key exchange. --Andy
- [TLS] Should TLS 1.3 use an augmented PAKE by def… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Anders Rundgren
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Peter Sylvester
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Paul Hoffman
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Robert Cragie
- [TLS] bootstrapping of constrained devices (was: … Rene Struik
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices (w… t.petch
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Max Pritikin (pritikin)
- Re: [TLS] bootstrapping of constrained devices (w… Don Sturek
- Re: [TLS] bootstrapping of constrained devices Robert Cragie
- Re: [TLS] bootstrapping of constrained devices Watson Ladd
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Dan Harkins