Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 20 March 2014 15:52 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C70671A0763 for <tls@ietfa.amsl.com>; Thu, 20 Mar 2014 08:52:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4qw_STFPrd7 for <tls@ietfa.amsl.com>; Thu, 20 Mar 2014 08:52:20 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 69EF31A0743 for <tls@ietf.org>; Thu, 20 Mar 2014 08:52:20 -0700 (PDT)
Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id A6568F984; Thu, 20 Mar 2014 11:52:09 -0400 (EDT)
Message-ID: <532B0EAA.5040104@fifthhorseman.net>
Date: Thu, 20 Mar 2014 11:52:10 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>, Andy Lutomirski <luto@amacapital.net>
References: <53288C43.9010205@mit.edu> <5328B6DF.8070703@fifthhorseman.net> <5328C0C8.9060403@mit.edu> <6b79e0820d349720f12b14d4706a8a5d.squirrel@webmail.dreamhost.com> <CALCETrUz8zCBHiq42GTnkkSaBcpA5pjSvk6kwwPjzn+MtBKMgA@mail.gmail.com> <e38419e3ada3233dbb3f860048703347.squirrel@webmail.dreamhost.com> <CALCETrVgJxfdCxZqc9ttHHNKHm-hdtGbqzHvsQ-6yd5BK=9PDw@mail.gmail.com> <67BAC033-2E23-4F03-A4D9-47875350E6B5@gmail.com>
In-Reply-To: <67BAC033-2E23-4F03-A4D9-47875350E6B5@gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="rkOVObKunRVKAn8eIEApIcmgmrDrrhd3B"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OFt8uke1z4gZfNqi7qw_fnhRkxo
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 15:52:24 -0000
On 03/20/2014 04:51 AM, Yoav Nir wrote: > The thing is, as long as the authentication happens in the application layer, none of the fancy crypto matters. If my bank implements a PAKE in the login screen using Javascript, a decent web designer can make a website that looks identical, only the passwords go in the clear to the phisher, and there is no fancy PAKE javascript. Good crypto in indistinguishable from bad crypto or no crypto at all. This is the core of the issue for client authentication in a web browser, i think. Regardless of whether we're talking about PAKE or client certs or some other mechanism, we have two choices: Either: A) We begin to establish a new norm for client-authentication UX that relies on unspoofable and easily-recognizable browser chrome (with some sort of browser-chrome logout mechanism as well), and start training users to distrust <input type="password"/> (perhaps at first on a site-by-site basis), taking some serious UX control away from web site designers. or: B) We continue to let web sites drive the full UX decisions, and leave users vulnerable to phishing attacks. option (A) is seriously hard, maybe impossible given the state of the web. option (B) is terrible. TLS can help this effort by making clear recommendations for how cryptographically strong authentication can be used, and tailoring some of those specifications for browsers that might want to use them. Already, we have discussions in httpbis about some additional HTTP mechanism so that the browser can trigger cryptographic use for client authentication in the TLS layer, and a proposed client-cert extension to make use of them: https://tools.ietf.org/html/draft-thomson-tls-care https://tools.ietf.org/html/draft-thomson-httpbis-catch This should provide a way for web sites to have full control over their unauthenticated UI and have well-specified mechanism that browser chrome can use when presenting client-authentication activity to the user. But Thomson's proposed scheme targets the use of client-side certs, not PAKE. If you really want PAKE to work as well in the HTTP context, it seems likely to have to think through the same cases. Perhaps the drafts above need to be modified to provide for SRP or some other PAKE as well as client-certs so that the same communications-flow can be used in a PAKE context at the TLS layer? If so, why would that be a better outcome than using PAKE directly at the HTTP layer (e.g. https://tools.ietf.org/html/draft-ietf-httpauth-mutual) ? --dkg
- [TLS] Should TLS 1.3 use an augmented PAKE by def… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Anders Rundgren
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Peter Sylvester
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Paul Hoffman
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Robert Cragie
- [TLS] bootstrapping of constrained devices (was: … Rene Struik
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices (w… t.petch
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Max Pritikin (pritikin)
- Re: [TLS] bootstrapping of constrained devices (w… Don Sturek
- Re: [TLS] bootstrapping of constrained devices Robert Cragie
- Re: [TLS] bootstrapping of constrained devices Watson Ladd
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Dan Harkins