Re: [TLS] about the PWD Proposal
SeongHan Shin <seonghan.shin@aist.go.jp> Sat, 10 December 2011 08:39 UTC
Return-Path: <shinsh93@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6553E21F8B0E for <tls@ietfa.amsl.com>; Sat, 10 Dec 2011 00:39:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.71
X-Spam-Level:
X-Spam-Status: No, score=-0.71 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvbUolwGSMk8 for <tls@ietfa.amsl.com>; Sat, 10 Dec 2011 00:39:31 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1C8FD21F8AF8 for <tls@ietf.org>; Sat, 10 Dec 2011 00:39:30 -0800 (PST)
Received: by wgbdr13 with SMTP id dr13so5573578wgb.13 for <tls@ietf.org>; Sat, 10 Dec 2011 00:39:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=kYYXYrrwVezhRm38/zFlGdIGyo2NnMhcHJauOudz5ro=; b=vxgDZnd/YGlvtIThphB6i7JZizFOtrAtpyWh9O0Lfo3Jov2CL3JMKmUsNTsw++IvXK iyYq62TPlVA2+8piqIRzTL3cFGIIZnbeI6vfz8Ajfv0g6wQH+MTNY9kYK779agjPrOKw yyrRhGvHY00C36jR8wDEswnABztqx3F0Hlh+c=
MIME-Version: 1.0
Received: by 10.216.229.75 with SMTP id g53mr675534weq.31.1323506365729; Sat, 10 Dec 2011 00:39:25 -0800 (PST)
Sender: shinsh93@gmail.com
Received: by 10.216.68.17 with HTTP; Sat, 10 Dec 2011 00:39:25 -0800 (PST)
In-Reply-To: <4ECACDA3.4000003@gmail.com>
References: <mailman.1210.1321701345.3024.tls@ietf.org> <4ECACDA3.4000003@gmail.com>
Date: Sat, 10 Dec 2011 17:39:25 +0900
X-Google-Sender-Auth: BYeGGMoAdoojEuQw0xLtvXlehmg
Message-ID: <CAHjyU7GTidLew=ZV9hxLgivz1YttG4Z_uYtGdz0XJg2_p1Cj3A@mail.gmail.com>
From: SeongHan Shin <seonghan.shin@aist.go.jp>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="0016364d1b8bc98b5c04b3b8d66c"
Cc: Kazukuni Kobara <k-kobara@aist.go.jp>
Subject: Re: [TLS] about the PWD Proposal
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Dec 2011 08:39:32 -0000
Dear TLS WG members, You can see I-D of "augmented" PAKE protocol below. https://datatracker.ietf.org/doc/draft-shin-augmented-pake/ In Section 2, several advantages and security features can be found. Best regards, Shin On Tue, Nov 22, 2011 at 7:16 AM, Yaron Sheffer <yaronf.ietf@gmail.com>wrote: > In a somewhat related protocol (IKEv2 with PACE for authentication), we > added an appendix on password salting: http://tools.ietf.org/html/** > draft-kuegler-ipsecme-pace-**ikev2-08#appendix-B<http://tools.ietf.org/html/draft-kuegler-ipsecme-pace-ikev2-08#appendix-B>. > The setting there is a little different from tls-pwd, because IKE is > normally symmetric (peer to peer vs. client to server). But some of our > analysis does apply. In particular, dynamically replacing the short > credentials by a long shared secret ( http://tools.ietf.org/html/** > draft-kuegler-ipsecme-pace-**ikev2-08#appendix-B.3<http://tools.ietf.org/html/draft-kuegler-ipsecme-pace-ikev2-08#appendix-B.3>) > would mitigate much of the risk. > > Thanks, > Yaron > > ----- > Hi, > I am interested in the PWD proposal at the meeting, and run through it( > http://tools.ietf.org/html/**draft-harkins-tls-pwd-01#**section-3.4<http://tools.ietf.org/html/draft-harkins-tls-pwd-01#section-3.4>), > > > and have the following concerns: > > 1. In the document, it says both Client and Server should be able to > compute PE, which is derived from username, password, salt,etc. > That means Client or the user should also remember the salt value, in > that case, salt is meaningless and can be replaced by a longer password. > This is quite different from the widely known usage of salt, e.g. in > UNIX operating system, salt is not required to remember by the user, but by > server to fetch locally by reference to the username. > And as far as I know, I am sure the authors also know that, other > password based key exchanges protocols don't involve salt, but store a hash > value of password among other things locally. > > I realize that this is very different from the usage in UNIX operating >> systems, but it is necessary, as the UNIX (or other) operating system >> running the web server has to store the password. Storing the password in >> the clear on as an unsalted hash is worse than storing a salted hash (or >> "base" in the draft's terminology), so that is what the TLS server does. >> The use of base instead of password is not to protect the password during >> handshake, but to protect it during storage on the server. >> >> Having said that, I think it is now very practical to take a list of the >> 100,000 most popular passwords on the web, a database of 10,000 salted >> hashes (the file described in section 3.4), and find all the matches. >> That's 1,000,000,000 operations, which would take 15 minutes on a MacBook >> Air (1.4 GHz). I think the days of saying that a database of salted hashes >> makes theft of the password file irrelevant should be over. Yes, I know >> that with unsalted hash it would be practical to test the 100,000,000 most >> popular passwords. >> >> session cookies somehow (e.g., via the BEAST attack): but if you don't >> have my OBCs' private keys then you can't actually make use of my >> cookies. >> >> With OBC cookie theft is not enough. With OBC the attacker must get >> at the private keys for the OBCs. >> >> Also, with OBC you get closer to true logout: destroy ("forget") your >> OBC private keys and your sessions are as good as dead. Moreover, the >> user-agent, not the server, is in control of maximum session lifetime, >> since there's no point in the server setting cookies that will outlive >> the OBCs. >> I we can find no other use case, we might want to rename it to "Origin >> Bound Cookie". >> >> But that would require some interesting interaction between layers. >> >> Are all cookies received while using OBC considered (by the client!) >> bound to the OBC? If not, the client might use an old cookie after a logout >> event, leading to the server falsely detecting an attempt to forge a >> cookie. Maybe we need a new keyword on the cookie header. >> >> Where is the "logout" button? If it's part of the website (in the >> "canvas") how does the HTML/HTTP tell the browser to log out? Probably best >> to have it in the Chrome for sites where OBC are supported. >> > > > ______________________________**_________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/**listinfo/tls<https://www.ietf.org/mailman/listinfo/tls> > -- ------------------------------------------------------------------ SeongHan Shin Research Center for Information Security (RCIS), National Institute of Advanced Industrial Science and Technology (AIST), Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan Tel : +81-29-861-2670/5284 Fax : +81-29-861-5285 E-mail : seonghan.shin@aist.go.jp ------------------------------------------------------------------
- [TLS] about the PWD Proposal zhou.sujing
- Re: [TLS] about the PWD Proposal Yoav Nir
- Re: [TLS] about the PWD Proposal Dan Harkins
- Re: [TLS] about the PWD Proposal Yaron Sheffer
- Re: [TLS] about the PWD Proposal SeongHan Shin
- Re: [TLS] about the PWD Proposal Matt DeMoss
- Re: [TLS] about the PWD Proposal Dan Harkins
- Re: [TLS] about the PWD Proposal Nico Williams
- [TLS] OT: WPA2-PSK vs. TLS-PSK (was about the PWD… Martin Rex
- Re: [TLS] OT: WPA2-PSK vs. TLS-PSK (was about the… Dan Harkins
- Re: [TLS] about the PWD Proposal Dan Brown
- Re: [TLS] about the PWD Proposal Dan Harkins