IETF Logo Mail Archive

Re: [TLS] about the PWD Proposal

SeongHan Shin <seonghan.shin@aist.go.jp> Sat, 10 December 2011 08:39 UTC

Return-Path: <shinsh93@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6553E21F8B0E for <tls@ietfa.amsl.com>; Sat, 10 Dec 2011 00:39:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.71
X-Spam-Level:
X-Spam-Status: No, score=-0.71 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvbUolwGSMk8 for <tls@ietfa.amsl.com>; Sat, 10 Dec 2011 00:39:31 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1C8FD21F8AF8 for <tls@ietf.org>; Sat, 10 Dec 2011 00:39:30 -0800 (PST)
Received: by wgbdr13 with SMTP id dr13so5573578wgb.13 for <tls@ietf.org>; Sat, 10 Dec 2011 00:39:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=kYYXYrrwVezhRm38/zFlGdIGyo2NnMhcHJauOudz5ro=; b=vxgDZnd/YGlvtIThphB6i7JZizFOtrAtpyWh9O0Lfo3Jov2CL3JMKmUsNTsw++IvXK iyYq62TPlVA2+8piqIRzTL3cFGIIZnbeI6vfz8Ajfv0g6wQH+MTNY9kYK779agjPrOKw yyrRhGvHY00C36jR8wDEswnABztqx3F0Hlh+c=
MIME-Version: 1.0
Received: by 10.216.229.75 with SMTP id g53mr675534weq.31.1323506365729; Sat, 10 Dec 2011 00:39:25 -0800 (PST)
Sender: shinsh93@gmail.com
Received: by 10.216.68.17 with HTTP; Sat, 10 Dec 2011 00:39:25 -0800 (PST)
In-Reply-To: <4ECACDA3.4000003@gmail.com>
References: <mailman.1210.1321701345.3024.tls@ietf.org> <4ECACDA3.4000003@gmail.com>
Date: Sat, 10 Dec 2011 17:39:25 +0900
X-Google-Sender-Auth: BYeGGMoAdoojEuQw0xLtvXlehmg
Message-ID: <CAHjyU7GTidLew=ZV9hxLgivz1YttG4Z_uYtGdz0XJg2_p1Cj3A@mail.gmail.com>
From: SeongHan Shin <seonghan.shin@aist.go.jp>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="0016364d1b8bc98b5c04b3b8d66c"
Cc: Kazukuni Kobara <k-kobara@aist.go.jp>
Subject: Re: [TLS] about the PWD Proposal
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Dec 2011 08:39:32 -0000

Dear TLS WG members,

You can see I-D of "augmented" PAKE protocol below.
https://datatracker.ietf.org/doc/draft-shin-augmented-pake/
In Section 2, several advantages and security features can be found.

Best regards,
Shin


On Tue, Nov 22, 2011 at 7:16 AM, Yaron Sheffer <yaronf.ietf@gmail.com>wrote:

> In a somewhat related protocol (IKEv2 with PACE for authentication), we
> added an appendix on password salting: http://tools.ietf.org/html/**
> draft-kuegler-ipsecme-pace-**ikev2-08#appendix-B<http://tools.ietf.org/html/draft-kuegler-ipsecme-pace-ikev2-08#appendix-B>.
> The setting there is a little different from tls-pwd, because IKE is
> normally symmetric (peer to peer vs. client to server). But some of our
> analysis does apply. In particular, dynamically replacing the short
> credentials by a long shared secret ( http://tools.ietf.org/html/**
> draft-kuegler-ipsecme-pace-**ikev2-08#appendix-B.3<http://tools.ietf.org/html/draft-kuegler-ipsecme-pace-ikev2-08#appendix-B.3>)
> would mitigate much of the risk.
>
> Thanks,
>    Yaron
>
> -----
>  Hi,
>  I am interested in the PWD proposal at the meeting, and run through it(
> http://tools.ietf.org/html/**draft-harkins-tls-pwd-01#**section-3.4<http://tools.ietf.org/html/draft-harkins-tls-pwd-01#section-3.4>),
>
>
>  and have the following concerns:
>
> 1. In the document, it  says both Client and Server should be able to
> compute PE, which is derived from username, password, salt,etc.
>   That means Client or the user should also remember the salt value, in
> that case, salt is meaningless and can be replaced by a longer password.
>   This is quite different from the widely known usage of salt, e.g. in
> UNIX operating system, salt is not required to remember by the user, but by
> server to fetch locally by reference to the username.
>  And as far as I know, I am sure the authors also know that, other
> password based key exchanges protocols don't involve salt, but store a hash
> value of password among other things locally.
>
>  I realize that this is very different from the usage in UNIX operating
>> systems, but it is necessary, as the UNIX (or other) operating system
>> running the web server has to store the password. Storing the password in
>> the clear on as an unsalted hash is worse than storing a salted hash (or
>> "base" in the draft's terminology), so that is what the TLS server does.
>> The use of base instead of password is not to protect the password during
>> handshake, but to protect it during storage on the server.
>>
>> Having said that, I think it is now very practical to take a list of the
>> 100,000 most popular passwords on the web, a database of 10,000 salted
>> hashes (the file described in section 3.4), and find all the matches.
>> That's 1,000,000,000 operations, which would take 15 minutes on a MacBook
>> Air (1.4 GHz). I think the days of saying that a database of salted hashes
>> makes theft of the password file irrelevant should be over. Yes, I know
>> that with unsalted hash it would be practical to test the 100,000,000 most
>> popular passwords.
>>
>> session cookies somehow (e.g., via the BEAST attack): but if you don't
>> have my OBCs' private keys then you can't actually make use of my
>> cookies.
>>
>> With OBC cookie theft is not enough.  With OBC the attacker must get
>> at the private keys for the OBCs.
>>
>> Also, with OBC you get closer to true logout: destroy ("forget") your
>> OBC private keys and your sessions are as good as dead.  Moreover, the
>> user-agent, not the server, is in control of maximum session lifetime,
>> since there's no point in the server setting cookies that will outlive
>> the OBCs.
>> I we can find no other use case, we might want to rename it to "Origin
>> Bound Cookie".
>>
>> But that would require some interesting interaction between layers.
>>
>> Are all cookies received while using OBC considered (by the client!)
>> bound to the OBC? If not, the client might use an old cookie after a logout
>> event, leading to the server falsely detecting an attempt to forge a
>> cookie. Maybe we need a new keyword on the cookie header.
>>
>> Where is the "logout" button?  If it's part of the website (in the
>> "canvas") how does the HTML/HTTP tell the browser to log out? Probably best
>> to have it in the Chrome for sites where OBC are supported.
>>
>
>
> ______________________________**_________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/**listinfo/tls<https://www.ietf.org/mailman/listinfo/tls>
>



-- 

------------------------------------------------------------------
SeongHan Shin
Research Center for Information Security (RCIS),
National Institute of Advanced Industrial Science and Technology (AIST),
Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan
Tel : +81-29-861-2670/5284
Fax : +81-29-861-5285
E-mail : seonghan.shin@aist.go.jp
------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email