Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
Andy Lutomirski <luto@amacapital.net> Wed, 19 March 2014 16:45 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 934D91A07B4 for <tls@ietfa.amsl.com>; Wed, 19 Mar 2014 09:45:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ttjr04gNzTvm for <tls@ietfa.amsl.com>; Wed, 19 Mar 2014 09:45:42 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4CCE91A0784 for <tls@ietf.org>; Wed, 19 Mar 2014 09:45:42 -0700 (PDT)
Received: by mail-vc0-f172.google.com with SMTP id la4so9367644vcb.17 for <tls@ietf.org>; Wed, 19 Mar 2014 09:45:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=6EzjZIDxnSwNi+e5UPU3t4TLWyj5cPabTb9IjIxZ0mM=; b=bXMkoxXgxZxbHjjih7VNDfkvA5qrUMWjr/YIWLozWkIVeIYVD6Cxb03/J4/Rsa3i6C ueIn7HORxfu4trULkrDCbsyhYNAn7xdLhRLcLw1Q+moQLZIjwFtIBpaVQGTWS+KN3Vs/ F9dtNAopk3kGOeou80zZEIogyuTOPqWi1K0hXP7gHqSqtJDUhNBmfr/3HfdNvQsubK58 2xB3FiacIxpS2kaDnFU1eaOueJT9Ds8Hh7x3WDM6Zi98T9ozijrwJX0IzS+2IMj1N5mI 6n83Eod9sIW5Zd48ELNXlUxzTOWaaaCGn1HQc069zIIrDaBWSCdmK2ygfZLsinbeALNE Ts2g==
X-Gm-Message-State: ALoCoQm5r4ihPl2Uc+JI9VdczCekNr079L5jnwRdQ5RJpFXTVF+3Zqrvp7gmlL0C16nmk6s8B3YK
X-Received: by 10.58.221.102 with SMTP id qd6mr115829vec.47.1395247533368; Wed, 19 Mar 2014 09:45:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.83.130 with HTTP; Wed, 19 Mar 2014 09:45:13 -0700 (PDT)
In-Reply-To: <e38419e3ada3233dbb3f860048703347.squirrel@webmail.dreamhost.com>
References: <53288C43.9010205@mit.edu> <5328B6DF.8070703@fifthhorseman.net> <5328C0C8.9060403@mit.edu> <6b79e0820d349720f12b14d4706a8a5d.squirrel@webmail.dreamhost.com> <CALCETrUz8zCBHiq42GTnkkSaBcpA5pjSvk6kwwPjzn+MtBKMgA@mail.gmail.com> <e38419e3ada3233dbb3f860048703347.squirrel@webmail.dreamhost.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 19 Mar 2014 09:45:13 -0700
Message-ID: <CALCETrVgJxfdCxZqc9ttHHNKHm-hdtGbqzHvsQ-6yd5BK=9PDw@mail.gmail.com>
To: ryan-ietftls@sleevi.com
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Git_HT1ClBDPSBIqnjnNtf-IfYU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 16:45:44 -0000
On Wed, Mar 19, 2014 at 9:20 AM, Ryan Sleevi <ryan-ietftls@sleevi.com> wrote: > On Wed, March 19, 2014 9:06 am, Andy Lutomirski wrote: >> On Tue, Mar 18, 2014 at 10:54 PM, Ryan Sleevi <ryan-ietftls@sleevi.com> >> wrote: >> > I have yet to hear of a good mail client >> > "phishing" attack (you *are* validating your IMAP certs, right?), so >> > this >> > seems almost predominantly an issue of attacker-controlled UI - that is, >> > the web. >> >> Even for IMAP, using PAKE, augmented or balanced, would give a >> significant amount of protection against MITMs who have compromised a >> CA. Since compromising a CA seems to be a popular thing to do these >> days, resisting these attacks at the protocol level would add >> considerable value. >> >> --Andy >> > > Or use key pinning - http://tools.ietf.org/html/draft-ietf-websec-key-pinning It works, but not the first time and it's tricky to do safely from the server's POV. > > Or use DANE - https://tools.ietf.org/html/rfc6698 I've never seen anything resembling a usable implementation of DANE. It needs a way to pull a whole DNSSEC signature chain from a DNS server (barely supported with current software -- the CD flag can do it, but client code doesn't seem to support that well) or using a nonexistent TLS extension. > > My point is you can see on this list archives two common threads: > - A desire to reduce, as much as possible, the complexity of TLS > - Not a lot of fondness for another PAKE > The only reason I think my suggestion is reasonable is that I think that it could be very simple -- the main TLS key exchange be designed to have all of the necessary cryptographic properties to be an augmented PAKE. People who don't want to use it can specify null passwords. [...] > > Note that the solution equally fails to meet your goals, because you will > always have browsers that don't support your solution - so sites wanting > to use it will still have to support 'naked' passwords. Equally, for > browsers, there will always be sites that continue to support the <input > type="password"> authentication (not the least because it's part of > HTML5), so they will always be phishable via downgrade attacks - not of > the TLS type, but of the UX type. Right. And the better websites (banks?) will offer both and users will learn that, when they're at home, they should only use the trusted password prompt. > > If that's the only justification/goal for the augmented PAKE (and your > replies suggest it is), let's just save the trouble and say "meh". > Please read the other half of my original email and most of my replies. I think that, even when using a second factor device (e.g. Fido, which you brought up), using an augmented PAKE style challenge for the device could improve security. This has no UX issue at all -- the whole technology is new, and the UI workflow suggested in the draft specs seems like it would work just fine with an improved challenge-response protocol. --Andy
- [TLS] Should TLS 1.3 use an augmented PAKE by def… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Anders Rundgren
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Peter Sylvester
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Paul Hoffman
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Robert Cragie
- [TLS] bootstrapping of constrained devices (was: … Rene Struik
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices (w… t.petch
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Max Pritikin (pritikin)
- Re: [TLS] bootstrapping of constrained devices (w… Don Sturek
- Re: [TLS] bootstrapping of constrained devices Robert Cragie
- Re: [TLS] bootstrapping of constrained devices Watson Ladd
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Dan Harkins