Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

"Dan Harkins" <> Sat, 07 December 2013 23:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 63BF21AE454 for <>; Sat, 7 Dec 2013 15:21:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.567
X-Spam-Status: No, score=-3.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8tCs4eXNvUSw for <>; Sat, 7 Dec 2013 15:21:05 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E3E491AE44F for <>; Sat, 7 Dec 2013 15:21:04 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id F17B11022404C; Sat, 7 Dec 2013 15:20:59 -0800 (PST)
Received: from (SquirrelMail authenticated user by with HTTP; Sat, 7 Dec 2013 15:21:00 -0800 (PST)
Message-ID: <>
In-Reply-To: <>
References: <> <> <>
Date: Sat, 7 Dec 2013 15:21:00 -0800 (PST)
From: "Dan Harkins" <>
To: Manuel =?iso-8859-1?Q?P=E9gouri=E9-Gonnard?= <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 07 Dec 2013 23:21:06 -0000

On Sat, December 7, 2013 5:20 am, Manuel Pégourié-Gonnard wrote:
> On 07/12/2013 00:38, Dan Harkins wrote:
>>   It's a balanced PAKE protocol. Like all such schemes (e.g EKE, J-PAKE)
>> the database of passwords is presumed to not be available to the
>> attacker.
> It's not supposed to be available to the attacker, but as CodesInChaos
> pointed
> out, in real life it has an annoying tentency to become available to
> attackers
> much more often than one would like. Anyway, why do you hash & salt the
> paswords
> in the first place, if not to offer some protection in case the database
> becomes
> available to an attacker?

  Originally the passwords were not salted but I received a comment
recommending that it be done.

> HMAC-SHA256 is a very poor protection, and weak protections are kind of
> worse
> than no protection at all: they give an illusion of security.

  I'm assuming you don't know of an efficient pre-image attack.
So I will assume you're referring to the ability of someone to do
a dictionary attack given the database of salted passwords. And in
that case, yes, this is not that big protection. Modular exponentiation
(used by augmented PAKE schemes) is not much better either. And
given the coWPAtty (and family) attacks against WPA-PSK that uses
PBKDF2 with 4096 iterations of HMAC-SHA1 I would say that's not
too good either.

  So when an attacker has a database of protected passwords you
should assume the worst regardless of how you protect the

  Let me point out yet again that this draft is not proposing a general
purpose cipher suite that is appropriate for all situations. If it is not
appropriate for your TLS deployment then by all means don't use it.
But just because it is not appropriate for your particular deployment
does not mean it is not appropriate for anyone.