Re: [TLS] User Defined Key Pair

"OMAR HASSAN (RIT Student)" <omh1835@rit.edu> Tue, 25 June 2013 21:22 UTC

Return-Path: <omh1835@g.rit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3364221E80B9 for <tls@ietfa.amsl.com>; Tue, 25 Jun 2013 14:22:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.278
X-Spam-Level:
X-Spam-Status: No, score=-2.278 tagged_above=-999 required=5 tests=[AWL=0.699, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z90XGshSNfju for <tls@ietfa.amsl.com>; Tue, 25 Jun 2013 14:22:38 -0700 (PDT)
Received: from sc3app27.rit.edu (sc3app27.rit.edu [129.21.35.56]) by ietfa.amsl.com (Postfix) with ESMTP id 38AD911E814F for <tls@ietf.org>; Tue, 25 Jun 2013 14:22:38 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by smtp-server.rit.edu (PMDF V6.3-x14 #31420) with ESMTPS id <0MOY0016UWPOHA@smtp-server.rit.edu> for tls@ietf.org; Tue, 25 Jun 2013 17:22:37 -0400 (EDT)
Received: by mail-ie0-f172.google.com with SMTP id 16so29789953iea.3 for <tls@ietf.org>; Tue, 25 Jun 2013 14:22:36 -0700 (PDT)
Received: by 10.43.115.3 with HTTP; Tue, 25 Jun 2013 14:22:36 -0700 (PDT)
X-Received: by 10.43.137.65 with SMTP id in1mr442526icc.103.1372195356663; Tue, 25 Jun 2013 14:22:36 -0700 (PDT)
X-Received: by 10.43.137.65 with SMTP id in1mr442521icc.103.1372195356559; Tue, 25 Jun 2013 14:22:36 -0700 (PDT)
Date: Wed, 26 Jun 2013 00:22:36 +0300
From: "OMAR HASSAN (RIT Student)" <omh1835@rit.edu>
In-reply-to: <C39B0599-31B8-4D4F-9D45-86AD3B940E6B@gmx.net>
Sender: omh1835@rit.edu
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Message-id: <CALxQUYGkz3SxxAjqU+2aqRHmiwAp_PKT=qAgrLSvJRWq-ju2Sw@mail.gmail.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="001a11c2456eca656f04e00120f6"
X-RIT-Received-From: 209.85.223.172
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=eC4ceGH3Ru96eJDlEGvnt8XxA1yAEk87tfrw1wZxYlc=; b=ojWWV/HUQZUdWiNpVpzLSWD/uCc30UeXSiag6I+ugxUyG36GmCaJ8CkVsUQ/q7JVUV CrZY32UO6GbIkk+KjqBUK1W8y/O3F/fp+3vQFnVep9tdNHqE8rk0M9GYCivhRmZuHi1K ZZVG6Xs1u4ENmPIqIz3yHxTgWGkd1js+sDx6IhJYOhZ2YIseOR+kTUjmEryVuDhorrmm 6zCVxSs5SCdXlTMcs+uEFsh7fchdu4Hg89xnnJKYCj/f1MGnMFjhB94LWrcxE4BXs6Bu mNOQ4gWXAyYFCiLqbP0b/bf1kMSS/+eJ+7IDEtjJ2eQA82A3BkbIX+X2Lj8B94yAFdsy kSLA==
X-Google-Sender-Auth: eMiA3Ee3W59R8-C1EZIjdCQBQlY
X-Gm-Message-State: ALoCoQndwFfeR7+QZHvuMYRsyZI5p54Owm5hP18KQDefDZwAP0cLXaxptTFiT+Tr+DtAt/DUCY2eh0wW8Q5HFKjSUSU+VZTIS+Y3pGh1a+WJUrTXItjP4A5Y7Ew4xH+1PQB8xnfVznZA
References: <CALxQUYGdagDHr+A4EKN5qPD1jZG+dH8PHwb0-fKJVUN_vC1MSg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EE97@USMBX1.msg.corp.akamai.com> <CALxQUYGpcKPOAoZ8J56AoUGx8B3JhdmMche8MdQuqD_S=Y22ZQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EF0E@USMBX1.msg.corp.akamai.com> <CALxQUYF1=oFBk=WZFoey+28j7MV7YvSkAD-YzJSeQ0Dp7uXmEA@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EFFF@USMBX1.msg.corp.akamai.com> <CALxQUYH-4HR7sO2jfxQnbro6+xM5hD_hdW-K_a-Esd9yiZ+oug@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251F1E5@USMBX1.msg.corp.akamai.com> <CALxQUYEeLRxGz=_CO8pMYc4u2rm8u+u6fTiYH_3UMev-pNFC4g@mail.gmail.com> <CALxQUYF_ekkkGuhQdK7mJFJj5HcHJybXJYyvKZ721Qz_k_Td5w@mail.gmail.com> <C39B0599-31B8-4D4F-9D45-86AD3B940E6B@gmx.net>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] User Defined Key Pair
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2013 21:22:44 -0000

Hi Hannes

I think you are right the biggest issue that I am facing is the
communication of the idea. Currently I am taking notes from this discussion
to make use of them in new version of the draft, but I am really interested
in the initial thoughts about the idea, and I am doing my best to clarify
whatever mysterious.

But this version of the draft is very clear compared to the first version,
even me when I tried to reread the first version of the draft I couldn't
understand it :)

Thank You for your advice.


On Tue, Jun 25, 2013 at 11:02 PM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi Omar,
>
> if you think your proposal is a good idea then I would encourage you to
> produce a draft. A draft, as a more complete writeup, often helps to
> communicate ideas more easily. It also helps to illustrate the bigger
> picture.
>
> Ciao
> Hannes
>
> PS: A minor remark - Facebook (as used in your example) uses IETF
> technology developed in a different working group. Their use case, as you
> can imagine, is a bit more complex than a browser talking to a server.
>
> On Jun 25, 2013, at 10:07 PM, OMAR HASSAN (RIT Student) wrote:
>
> > Hi Uri,
> >
> > May be I am still not able to clear my point regarding the man in the
> middle attack.
> >
> > When the user provides the credential information, he will not provide
> it to the Facebook log in page, instead he will go to the menu bar in his
> browser, and run the new plugin which has two tabs: one for log in; and the
> other for enrollment, and in the plugin interface the user will provide his
> credential information.
> >
> > The key pair will be generated inside the browser's plugin, and only the
> signed message, and the username will go to Facebook, no passwords will
> leave the user's browser. When the server receive the username and the
> signed message, it will send the session key encrypted with the user's
> public key.
> >
> > If  someone pretended to be Facebook, he will receive a public key and a
> signed message. The attacker cannot use this information to log into
> Facebook, because the signed message contains the current server's time
> stamp, so it's valid only for a few seconds.
> >
> > And even if the attacker sends the signed message and the username to
> the server, and the server accepted them, the next step is that the server
> will respond with the session key encrypted with the user's public key. How
> the attacker will read the public key if he doesn't have the private key,
> the private key that didn't leave the user's browser.
> >
> >
> > On Tue, Jun 25, 2013 at 7:55 PM, OMAR HASSAN (RIT Student) <
> omh1835@rit.edu> wrote:
> > Hi All
> >
> > >Stephan:
> >
> > >How you made sure that the user (client) is connected with the intended
> server?
> > >Paras Shah:
> >
> > >That is exactly the question I had. How is Server Authentication done
> with this approach?
> > >Rich:
> >
> > >I don’t see anything in your system that prevents this, either.  It
> seems that replacing your system with self-signed client >certificates
> would be equivalent.
> >
> > >Robert:
> > >As the proposal has no server authentication, it is surely broken in
> that respect i.e. the client could be lured to any bogus >website
> masquerading as a legitimate one. How would the client know?
> >
> > I would explain How is Server Authentication done with a practical
> example. Let's name facebook as our website that we need to protect using
> that new protocol.
> >
> > When I go to facebook, I would receive a browser message telling me:
> "Please use the UDKP protected access (Tools->UDKP Protected Access)!"
> > the user will go to the plugin interface, and provide the username,
> password, password confirmation, the plugin will create a file with random
> data stream in the user's usb, and then the user will click on the register
> button.
> >
> > At that point the plugin will create the key pair based on the random
> file, username, and password. The public key will go to the server with the
> username and a signed message, and the user will be redirected to the
> facebook registration page to complete his registration.
> >
> > Now the user profile is created on facebook and associated with the user
> public key.
> >
> > When the user tries to sign in later into facebook, and if he was
> deceived to sign in into a fake website, the user will go to the browser
> plugin interface, and provide the username, password, and select the file
> from his usb. At that point the user will be expecting to see his facebook
> timeline if he is really signing into the real facebook. Note that the user
> didn't provide the credential information to the website but to the browser
> plugin (Tools->UDKP Protected Access).
> >
> > In our case, the fake website will only receive the username, the public
> key, and the token (ServerHello.random ) signed with user private key, If
> the attacker delivered this message to the facebook server, the server will
> try to read and validate the token using the user public key. If it
> succeeds, it will respond with the session key premaster encrypted by the
> user public key. Because the user private key did not leave the browser,
> the attacker will not be able to read the session key and hence will not be
> able to monitor the traffic.
> >
> > So if the user was successfully able to see his timeline, he would be
> sure that he is communicating with the real facebook.
> >
> > >Robert:
> > >Token = enc(ServerHello.random, PrivKey) : The concept of encrypting
> using a private key seems pointless. Don't you mean >signing?
> >
> > Yes Robert, I mean signing not encrypting. Actually someone told me
> before about that mistake in the previous version, but unfortunately I
> forgot to correct it in the new version. Hopefully in the next version it
> will be corrected. Thank You.
> >
> > >Juho Vähä-Herttua:
> >
> > >The whole security of the system seems to be dependant on the security
> of the "browser plugin" and its key generation and encryption algorithms
> >
> > I preferred to make the generation of the key pair as a black box, so we
> can focus our discussion on the idea itself, so the question is if we have
> a key generation function that can generate key pair securely based on the
> username, password, and the file selected, would the idea be a good one.
> >
> > >What if someone detects this enrollment and sends a new public key for
> the user before the user has time to fill all the fields? Sounds like a
> race condition to me.
> >
> > The key pair generation is done inside the browser plugin interface, not
> in the website page, so there is no race condition, the communication with
> the website will start after the creation of the key pair.
> >
> >
> > >I don't see how this is different from generating a self signed client
> cert and verifying it with for example HMAC with username+password+question
> derived secret. If you already need a custom >browser
> > >plugin to handle the login, you can put all your custom logic there and
> use standard TLS for the rest.
> >
> > You can look at the generated key pair as a client certificate, but I
> preferred to make it as a key pair, so this key pair could be generated
> based on different approaches: security question, file, smart card,
> hardware token.
> >
> > Additionally it's not only about custom sign in, it's also about
> eliminating the dependence on the CA, so the session key must be encrypted
> with the user public key not encrypted with a key that claims to be the
> server public key.
> >
> > >Rich:
> >
> > >It’s great that you are trying to improve things; don’t get
> discouraged, but this ain’t there yet.  And as a first step to replacing
> all of SSL/TLS?  Nope.
> >
> > I am not discouraged at all, but I am still insisting that the security
> of my traffic to facebook must be the responsibility of me and facebook
> only, and not anyone else. And I am doing my best to achieve that. The
> discussion is very useful to me, may be after this discussion we can come
> out with a new final solution to this issue.
> >
> >
> > On Tue, Jun 25, 2013 at 2:29 PM, Salz, Rich <rsalz@akamai.com> wrote:
> > Ø  Self signed certificate is very dangerous because the user will not
> have a way to verify the identity of the certificate owner and he could be
> a victim to a man in the middle attack.
> >
> >
> >
> > I don’t see anything in your system that prevents this, either.  It
> seems that replacing your system with self-signed client certificates would
> be equivalent.
> >
> >
> >
> > It’s great that you are trying to improve things; don’t get discouraged,
> but this ain’t there yet.  And as a first step to replacing all of SSL/TLS?
>  Nope.
> >
> >
> >
> >                 /r$
> >
> >
> >
> > --
> >
> > Principal Security Engineer
> >
> > Akamai Technology
> >
> > Cambridge, MA
> >
> >
> >
> >
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iQEcBAEBCgAGBQJRyfc6AAoJEGhJURNOOiAt14IH+wX1gBztEr2vC7PkwKEmcU6Z
> tbLHVm5dUT1HR2uieVHEbjDviY8K/aM46C4Esxkh/6HyYe1RIJyrhHcqP0xv8ZjA
> zMlD4G6m4OVB+d5Wgvoj8FwHM9cs/WuNqWvf342LjB9EiHKyLGKKu6HVPYhrkzUr
> wHpj04n62lxyzQyPJA3nZ7hS/z/IW5zYB7ud+jIe2SpQWyGgPl+MlyxpihwQjCs3
> FVjTVPlc4E88DfgIf5rDbbwf8JqM8r0wVNcHn1PQnOeh2k+GHkuHuflhmQisGetz
> 5x/NyhT8XIHGvf8CJ23PYjgkkYcLRHn5I/OElLCSNK54Widkn5y5GAR2kqZiL4g=
> =TTA8
> -----END PGP SIGNATURE-----
>