IETF Logo Mail Archive

RE: [TLS] password-based authentication (was: Some comments about draft-badra-ecdhe-tls-psk-01)

Chris Newman <Chris.Newman@Sun.COM> Wed, 30 January 2008 23:12 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JKM6s-0006BU-Hi; Wed, 30 Jan 2008 18:12:50 -0500
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1JKM6r-0006BP-Qf for tls-confirm+ok@megatron.ietf.org; Wed, 30 Jan 2008 18:12:49 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JKM6r-0006BH-EM for tls@ietf.org; Wed, 30 Jan 2008 18:12:49 -0500
Received: from brmea-mail-2.sun.com ([192.18.98.43]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1JKM6q-0005A2-OR for tls@ietf.org; Wed, 30 Jan 2008 18:12:49 -0500
Received: from fe-amer-10.sun.com ([192.18.109.80]) by brmea-mail-2.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0UNCmMx008102 for <tls@ietf.org>; Wed, 30 Jan 2008 23:12:48 GMT
Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) id <0JVH00K01CBSSE00@mail-amer.sun.com> (original mail from Chris.Newman@Sun.COM) for tls@ietf.org; Wed, 30 Jan 2008 16:12:48 -0700 (MST)
Received: from [10.0.191.236] ([10.1.110.5]) by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTPSA id <0JVH007GGCH6ZZ90@mail-amer.sun.com>; Wed, 30 Jan 2008 16:12:46 -0700 (MST)
Date: Wed, 30 Jan 2008 15:12:42 -0800
From: Chris Newman <Chris.Newman@Sun.COM>
Subject: RE: [TLS] password-based authentication (was: Some comments about draft-badra-ecdhe-tls-psk-01)
In-reply-to: <B356D8F434D20B40A8CEDAEC305A1F24052E8B6C@esebe105.NOE.Nokia.com>
To: Pasi.Eronen@nokia.com, dharkins@lounge.org
Message-id: <BB08005FCE7305534C205D83@446E7922C82D299DB29D899F>
MIME-version: 1.0
X-Mailer: Mulberry/4.0.8 (Mac OS X)
Content-type: text/plain; format="flowed"; charset="us-ascii"
Content-transfer-encoding: 7bit
Content-disposition: inline
References: <B356D8F434D20B40A8CEDAEC305A1F240511959C@esebe105.NOE.Nokia.com> <87sl15pxnx.fsf@mocca.josefsson.org> <B356D8F434D20B40A8CEDAEC305A1F24052E8740@esebe105.NOE.Nokia.com> <28109.216.31.249.246.1201632747.squirrel@www.trepanning.net> <B356D8F434D20B40A8CEDAEC305A1F24052E8B6C@esebe105.NOE.Nokia.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Pasi.Eronen@nokia.com wrote on 1/30/08 9:58 +0200:

> Dan Harkins wrote:
>
>> Personally I would view a password-based authentication scheme
>> that assumes the shared key is a low-entropy one or is selected
>> from a limited set of keys, like a dictionary, as more useful to
>> the real world. I believe that is the predominant access method
>> used in the Internet today.
>
> Just being curious, what would be the main differences between
> the authentication scheme you're thinking about, and RFC 5054?

On the protocol side, not much.

On the implementation side, it would roughly double the complexity of a typical 
TLS API in order to actually be useful to applications.  The password verifier 
could be stored in any one of a number of external repositories (LDAP, RADIUS, 
DIAMETER, SQL, Liberty, some other SOAP/HTTP mechanism, /etc/passwd, NIS, etc) 
and the application would have to provide the TLS stack with sophisticated 
configuration knobs related to these protocols.  As a matter of efficiency, 
some of these protocols are not cheap so high performance servers will have to 
keep a pool of connections, then fetch and cache the information locally. 
Attributes that are peripherally related to authentication or unrelated to 
authentication may also be accessed via these protocols and need to be cached 
as well to avoid the need for double-fetching of the same entry.  So the API 
needs a way to put all sorts of controls on the protocols used to fetch this 
data, timeouts, what attributes are of interest, caching parameters, etc.  Then 
there's need for back-channels to the cache (flushing specific entries on 
provisioning changes) which means hooking up to a notification mechanism to the 
caching logic under the TLS stack.

Personally, I think TLS stacks are plenty complex enough without all this 
machinery.  As a matter of architecture, I'd rather keep this machinery 
completely separate from the TLS stack and use TLS channel bindings when mutual 
authentication at the application layer is needed.

Although I'm dubious of the utility of PSK, it seems mostly harmless to the TLS 
stack as long as it's not a password.  The primary utility I see for PSK would 
be for server->server connections if it's coupled with an SSH-style 
zero-configuration key setup mechanism (I don't see it as having much 
real-world utility without the latter piece).  If PSK proves to be useful than 
ECC-PSK is also likely to be useful simply because of the improved key 
scalability.

                - Chris



_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email