Re: [TLS] User Defined Key Pair
"OMAR HASSAN (RIT Student)" <omh1835@rit.edu> Tue, 25 June 2013 21:22 UTC
Return-Path: <omh1835@g.rit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3364221E80B9 for <tls@ietfa.amsl.com>; Tue, 25 Jun 2013 14:22:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.278
X-Spam-Level:
X-Spam-Status: No, score=-2.278 tagged_above=-999 required=5 tests=[AWL=0.699, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z90XGshSNfju for <tls@ietfa.amsl.com>; Tue, 25 Jun 2013 14:22:38 -0700 (PDT)
Received: from sc3app27.rit.edu (sc3app27.rit.edu [129.21.35.56]) by ietfa.amsl.com (Postfix) with ESMTP id 38AD911E814F for <tls@ietf.org>; Tue, 25 Jun 2013 14:22:38 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by smtp-server.rit.edu (PMDF V6.3-x14 #31420) with ESMTPS id <0MOY0016UWPOHA@smtp-server.rit.edu> for tls@ietf.org; Tue, 25 Jun 2013 17:22:37 -0400 (EDT)
Received: by mail-ie0-f172.google.com with SMTP id 16so29789953iea.3 for <tls@ietf.org>; Tue, 25 Jun 2013 14:22:36 -0700 (PDT)
Received: by 10.43.115.3 with HTTP; Tue, 25 Jun 2013 14:22:36 -0700 (PDT)
X-Received: by 10.43.137.65 with SMTP id in1mr442526icc.103.1372195356663; Tue, 25 Jun 2013 14:22:36 -0700 (PDT)
X-Received: by 10.43.137.65 with SMTP id in1mr442521icc.103.1372195356559; Tue, 25 Jun 2013 14:22:36 -0700 (PDT)
Date: Wed, 26 Jun 2013 00:22:36 +0300
From: "OMAR HASSAN (RIT Student)" <omh1835@rit.edu>
In-reply-to: <C39B0599-31B8-4D4F-9D45-86AD3B940E6B@gmx.net>
Sender: omh1835@rit.edu
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Message-id: <CALxQUYGkz3SxxAjqU+2aqRHmiwAp_PKT=qAgrLSvJRWq-ju2Sw@mail.gmail.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="001a11c2456eca656f04e00120f6"
X-RIT-Received-From: 209.85.223.172
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=eC4ceGH3Ru96eJDlEGvnt8XxA1yAEk87tfrw1wZxYlc=; b=ojWWV/HUQZUdWiNpVpzLSWD/uCc30UeXSiag6I+ugxUyG36GmCaJ8CkVsUQ/q7JVUV CrZY32UO6GbIkk+KjqBUK1W8y/O3F/fp+3vQFnVep9tdNHqE8rk0M9GYCivhRmZuHi1K ZZVG6Xs1u4ENmPIqIz3yHxTgWGkd1js+sDx6IhJYOhZ2YIseOR+kTUjmEryVuDhorrmm 6zCVxSs5SCdXlTMcs+uEFsh7fchdu4Hg89xnnJKYCj/f1MGnMFjhB94LWrcxE4BXs6Bu mNOQ4gWXAyYFCiLqbP0b/bf1kMSS/+eJ+7IDEtjJ2eQA82A3BkbIX+X2Lj8B94yAFdsy kSLA==
X-Google-Sender-Auth: eMiA3Ee3W59R8-C1EZIjdCQBQlY
X-Gm-Message-State: ALoCoQndwFfeR7+QZHvuMYRsyZI5p54Owm5hP18KQDefDZwAP0cLXaxptTFiT+Tr+DtAt/DUCY2eh0wW8Q5HFKjSUSU+VZTIS+Y3pGh1a+WJUrTXItjP4A5Y7Ew4xH+1PQB8xnfVznZA
References: <CALxQUYGdagDHr+A4EKN5qPD1jZG+dH8PHwb0-fKJVUN_vC1MSg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EE97@USMBX1.msg.corp.akamai.com> <CALxQUYGpcKPOAoZ8J56AoUGx8B3JhdmMche8MdQuqD_S=Y22ZQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EF0E@USMBX1.msg.corp.akamai.com> <CALxQUYF1=oFBk=WZFoey+28j7MV7YvSkAD-YzJSeQ0Dp7uXmEA@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EFFF@USMBX1.msg.corp.akamai.com> <CALxQUYH-4HR7sO2jfxQnbro6+xM5hD_hdW-K_a-Esd9yiZ+oug@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251F1E5@USMBX1.msg.corp.akamai.com> <CALxQUYEeLRxGz=_CO8pMYc4u2rm8u+u6fTiYH_3UMev-pNFC4g@mail.gmail.com> <CALxQUYF_ekkkGuhQdK7mJFJj5HcHJybXJYyvKZ721Qz_k_Td5w@mail.gmail.com> <C39B0599-31B8-4D4F-9D45-86AD3B940E6B@gmx.net>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] User Defined Key Pair
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2013 21:22:44 -0000
Hi Hannes I think you are right the biggest issue that I am facing is the communication of the idea. Currently I am taking notes from this discussion to make use of them in new version of the draft, but I am really interested in the initial thoughts about the idea, and I am doing my best to clarify whatever mysterious. But this version of the draft is very clear compared to the first version, even me when I tried to reread the first version of the draft I couldn't understand it :) Thank You for your advice. On Tue, Jun 25, 2013 at 11:02 PM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi Omar, > > if you think your proposal is a good idea then I would encourage you to > produce a draft. A draft, as a more complete writeup, often helps to > communicate ideas more easily. It also helps to illustrate the bigger > picture. > > Ciao > Hannes > > PS: A minor remark - Facebook (as used in your example) uses IETF > technology developed in a different working group. Their use case, as you > can imagine, is a bit more complex than a browser talking to a server. > > On Jun 25, 2013, at 10:07 PM, OMAR HASSAN (RIT Student) wrote: > > > Hi Uri, > > > > May be I am still not able to clear my point regarding the man in the > middle attack. > > > > When the user provides the credential information, he will not provide > it to the Facebook log in page, instead he will go to the menu bar in his > browser, and run the new plugin which has two tabs: one for log in; and the > other for enrollment, and in the plugin interface the user will provide his > credential information. > > > > The key pair will be generated inside the browser's plugin, and only the > signed message, and the username will go to Facebook, no passwords will > leave the user's browser. When the server receive the username and the > signed message, it will send the session key encrypted with the user's > public key. > > > > If someone pretended to be Facebook, he will receive a public key and a > signed message. The attacker cannot use this information to log into > Facebook, because the signed message contains the current server's time > stamp, so it's valid only for a few seconds. > > > > And even if the attacker sends the signed message and the username to > the server, and the server accepted them, the next step is that the server > will respond with the session key encrypted with the user's public key. How > the attacker will read the public key if he doesn't have the private key, > the private key that didn't leave the user's browser. > > > > > > On Tue, Jun 25, 2013 at 7:55 PM, OMAR HASSAN (RIT Student) < > omh1835@rit.edu> wrote: > > Hi All > > > > >Stephan: > > > > >How you made sure that the user (client) is connected with the intended > server? > > >Paras Shah: > > > > >That is exactly the question I had. How is Server Authentication done > with this approach? > > >Rich: > > > > >I don’t see anything in your system that prevents this, either. It > seems that replacing your system with self-signed client >certificates > would be equivalent. > > > > >Robert: > > >As the proposal has no server authentication, it is surely broken in > that respect i.e. the client could be lured to any bogus >website > masquerading as a legitimate one. How would the client know? > > > > I would explain How is Server Authentication done with a practical > example. Let's name facebook as our website that we need to protect using > that new protocol. > > > > When I go to facebook, I would receive a browser message telling me: > "Please use the UDKP protected access (Tools->UDKP Protected Access)!" > > the user will go to the plugin interface, and provide the username, > password, password confirmation, the plugin will create a file with random > data stream in the user's usb, and then the user will click on the register > button. > > > > At that point the plugin will create the key pair based on the random > file, username, and password. The public key will go to the server with the > username and a signed message, and the user will be redirected to the > facebook registration page to complete his registration. > > > > Now the user profile is created on facebook and associated with the user > public key. > > > > When the user tries to sign in later into facebook, and if he was > deceived to sign in into a fake website, the user will go to the browser > plugin interface, and provide the username, password, and select the file > from his usb. At that point the user will be expecting to see his facebook > timeline if he is really signing into the real facebook. Note that the user > didn't provide the credential information to the website but to the browser > plugin (Tools->UDKP Protected Access). > > > > In our case, the fake website will only receive the username, the public > key, and the token (ServerHello.random ) signed with user private key, If > the attacker delivered this message to the facebook server, the server will > try to read and validate the token using the user public key. If it > succeeds, it will respond with the session key premaster encrypted by the > user public key. Because the user private key did not leave the browser, > the attacker will not be able to read the session key and hence will not be > able to monitor the traffic. > > > > So if the user was successfully able to see his timeline, he would be > sure that he is communicating with the real facebook. > > > > >Robert: > > >Token = enc(ServerHello.random, PrivKey) : The concept of encrypting > using a private key seems pointless. Don't you mean >signing? > > > > Yes Robert, I mean signing not encrypting. Actually someone told me > before about that mistake in the previous version, but unfortunately I > forgot to correct it in the new version. Hopefully in the next version it > will be corrected. Thank You. > > > > >Juho Vähä-Herttua: > > > > >The whole security of the system seems to be dependant on the security > of the "browser plugin" and its key generation and encryption algorithms > > > > I preferred to make the generation of the key pair as a black box, so we > can focus our discussion on the idea itself, so the question is if we have > a key generation function that can generate key pair securely based on the > username, password, and the file selected, would the idea be a good one. > > > > >What if someone detects this enrollment and sends a new public key for > the user before the user has time to fill all the fields? Sounds like a > race condition to me. > > > > The key pair generation is done inside the browser plugin interface, not > in the website page, so there is no race condition, the communication with > the website will start after the creation of the key pair. > > > > > > >I don't see how this is different from generating a self signed client > cert and verifying it with for example HMAC with username+password+question > derived secret. If you already need a custom >browser > > >plugin to handle the login, you can put all your custom logic there and > use standard TLS for the rest. > > > > You can look at the generated key pair as a client certificate, but I > preferred to make it as a key pair, so this key pair could be generated > based on different approaches: security question, file, smart card, > hardware token. > > > > Additionally it's not only about custom sign in, it's also about > eliminating the dependence on the CA, so the session key must be encrypted > with the user public key not encrypted with a key that claims to be the > server public key. > > > > >Rich: > > > > >It’s great that you are trying to improve things; don’t get > discouraged, but this ain’t there yet. And as a first step to replacing > all of SSL/TLS? Nope. > > > > I am not discouraged at all, but I am still insisting that the security > of my traffic to facebook must be the responsibility of me and facebook > only, and not anyone else. And I am doing my best to achieve that. The > discussion is very useful to me, may be after this discussion we can come > out with a new final solution to this issue. > > > > > > On Tue, Jun 25, 2013 at 2:29 PM, Salz, Rich <rsalz@akamai.com> wrote: > > Ø Self signed certificate is very dangerous because the user will not > have a way to verify the identity of the certificate owner and he could be > a victim to a man in the middle attack. > > > > > > > > I don’t see anything in your system that prevents this, either. It > seems that replacing your system with self-signed client certificates would > be equivalent. > > > > > > > > It’s great that you are trying to improve things; don’t get discouraged, > but this ain’t there yet. And as a first step to replacing all of SSL/TLS? > Nope. > > > > > > > > /r$ > > > > > > > > -- > > > > Principal Security Engineer > > > > Akamai Technology > > > > Cambridge, MA > > > > > > > > > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.19 (Darwin) > Comment: GPGTools - http://gpgtools.org > > iQEcBAEBCgAGBQJRyfc6AAoJEGhJURNOOiAt14IH+wX1gBztEr2vC7PkwKEmcU6Z > tbLHVm5dUT1HR2uieVHEbjDviY8K/aM46C4Esxkh/6HyYe1RIJyrhHcqP0xv8ZjA > zMlD4G6m4OVB+d5Wgvoj8FwHM9cs/WuNqWvf342LjB9EiHKyLGKKu6HVPYhrkzUr > wHpj04n62lxyzQyPJA3nZ7hS/z/IW5zYB7ud+jIe2SpQWyGgPl+MlyxpihwQjCs3 > FVjTVPlc4E88DfgIf5rDbbwf8JqM8r0wVNcHn1PQnOeh2k+GHkuHuflhmQisGetz > 5x/NyhT8XIHGvf8CJ23PYjgkkYcLRHn5I/OElLCSNK54Widkn5y5GAR2kqZiL4g= > =TTA8 > -----END PGP SIGNATURE----- >
- [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Salz, Rich
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Salz, Rich
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Salz, Rich
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Stephan T.
- Re: [TLS] User Defined Key Pair Juho Vähä-Herttua
- Re: [TLS] User Defined Key Pair Robert Cragie
- Re: [TLS] User Defined Key Pair Salz, Rich
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Paras Shah
- Re: [TLS] User Defined Key Pair Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Hannes Tschofenig
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Juho Vähä-Herttua
- Re: [TLS] User Defined Key Pair Juho Vähä-Herttua
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Paras Shah
- Re: [TLS] User Defined Key Pair Dan Harkins
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Dan Harkins
- Re: [TLS] User Defined Key Pair Alex Elsayed
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)