Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 18 March 2014 21:13 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C0B01A023C for <tls@ietfa.amsl.com>; Tue, 18 Mar 2014 14:13:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_45=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VPke0BZIyTaF for <tls@ietfa.amsl.com>; Tue, 18 Mar 2014 14:13:23 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 3944B1A03F1 for <tls@ietf.org>; Tue, 18 Mar 2014 14:13:23 -0700 (PDT)
Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 0DED5F984; Tue, 18 Mar 2014 17:13:12 -0400 (EDT)
Message-ID: <5328B6DF.8070703@fifthhorseman.net>
Date: Tue, 18 Mar 2014 17:13:03 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: Andy Lutomirski <luto@amacapital.net>, "tls@ietf.org" <tls@ietf.org>
References: <53288C43.9010205@mit.edu>
In-Reply-To: <53288C43.9010205@mit.edu>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="irkbWRAxnjKwglceEkLDn9A8ExUkbWf10"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/7LrZfyDxMNMDFa0EiJokHS_DG1Y
Subject: Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 21:13:25 -0000
Hi Andy-- Thanks for raising this question. On 03/18/2014 02:11 PM, Andy Lutomirski wrote: > 1. When clients authenticate with a password, if they send their > password to the wrong server, that server learns their password. I think you're talking about HTTP basic auth here, or IMAP AUTH=PLAIN, right? Other authentication mechanisms that are layered on top of TLS don't necessarily have the same concern. > This > is the basis of most phishing attacks. (I'm ignoring TLS-SRP, which is > basically unused.) TLS SRP's lack of use suggests that there is not a high pressure for deployment here. It's probably worth thinking some about why SRP adoption has been so slow (i don't know the global answer here, but i only know a few folks who are using it) > 2. If a client uses a client certificate, the client has to store the > private key *and* certificate associated with the certificate. That > means that any encrypted form of that certificate is subject to a > dictionary attack. i'm not sure i understand. the certificate is public, right? i think you mean that the stored public key (presumably encrypted locally) is subject to an offline dictionary attack. This is no better or worse than a client with an encrypted password store, of course. A client which caches credentials for the user over the long term should be locking those credentials (whether public-key-based or password-based) with a heavily-stretched password, to make offline dictionary attacks expensive. > Both of these problems can be solved if the default mode of client > authentication in TLS 1.3 were an augmented PAKE or a non-key-exchanging > equivalent. #1 is addressed directly, and it would even be safe to > share passwords between different servers. how does PAKE allow sharing of passwords between servers? can't a server willing to do a bunch of offline computation figure out the client's password from its stored verifier? this moves the offline dictionary attack from the client to the server, but it would still allow the server to recover the client's password, which would then enable its reuse on different sites if the user thought it was ok to share a password between services. > It might make sense to use similar techniques to authenticate servers to > clients. First, symmetry is nice. Second, I think that several of the > protocols for doing this kind of authentication are actually *faster* > than using digital signatures. how strong is a PAKE for a generic network-based adversary? how strong is it when the server itself is the adversary? At the CFRG meeting at IETF-89 earlier this month, there was very little enthusiasm in the room for further discussion about PAKE. this may just be fatigue from the dragonfly discussion, though. > Should TLS do something like this? This may fit in with Watson Ladd's > suggestions about using something other than conventional DH for key > exchange. What about this proposal is different from SRP, which we already have? Why not encourage more adoption of SRP and learn what the sticking points are for that authentication mechanism? My basic sense is that PAKE models are generally useful for one-shot or limited-time use, as a bootstrapping step to something stronger, but not as a regular, per-connection authentication mechanism. I'd be happy to be convinced that they're more generally useful, though :) Regards, --dkg
- [TLS] Should TLS 1.3 use an augmented PAKE by def… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Anders Rundgren
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Peter Sylvester
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Paul Hoffman
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Robert Cragie
- [TLS] bootstrapping of constrained devices (was: … Rene Struik
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices (w… t.petch
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Max Pritikin (pritikin)
- Re: [TLS] bootstrapping of constrained devices (w… Don Sturek
- Re: [TLS] bootstrapping of constrained devices Robert Cragie
- Re: [TLS] bootstrapping of constrained devices Watson Ladd
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Dan Harkins