IETF Logo Mail Archive

Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 20 March 2014 15:52 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C70671A0763 for <tls@ietfa.amsl.com>; Thu, 20 Mar 2014 08:52:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4qw_STFPrd7 for <tls@ietfa.amsl.com>; Thu, 20 Mar 2014 08:52:20 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 69EF31A0743 for <tls@ietf.org>; Thu, 20 Mar 2014 08:52:20 -0700 (PDT)
Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id A6568F984; Thu, 20 Mar 2014 11:52:09 -0400 (EDT)
Message-ID: <532B0EAA.5040104@fifthhorseman.net>
Date: Thu, 20 Mar 2014 11:52:10 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>, Andy Lutomirski <luto@amacapital.net>
References: <53288C43.9010205@mit.edu> <5328B6DF.8070703@fifthhorseman.net> <5328C0C8.9060403@mit.edu> <6b79e0820d349720f12b14d4706a8a5d.squirrel@webmail.dreamhost.com> <CALCETrUz8zCBHiq42GTnkkSaBcpA5pjSvk6kwwPjzn+MtBKMgA@mail.gmail.com> <e38419e3ada3233dbb3f860048703347.squirrel@webmail.dreamhost.com> <CALCETrVgJxfdCxZqc9ttHHNKHm-hdtGbqzHvsQ-6yd5BK=9PDw@mail.gmail.com> <67BAC033-2E23-4F03-A4D9-47875350E6B5@gmail.com>
In-Reply-To: <67BAC033-2E23-4F03-A4D9-47875350E6B5@gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="rkOVObKunRVKAn8eIEApIcmgmrDrrhd3B"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OFt8uke1z4gZfNqi7qw_fnhRkxo
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 15:52:24 -0000

On 03/20/2014 04:51 AM, Yoav Nir wrote:

> The thing is, as long as the authentication happens in the application layer, none of the fancy crypto matters. If my bank implements a PAKE in the login screen using Javascript, a decent web designer can make a website that looks identical, only the passwords go in the clear to the phisher, and there is no fancy PAKE javascript. Good crypto in indistinguishable from bad crypto or no crypto at all.

This is the core of the issue for client authentication in a web
browser, i think.  Regardless of whether we're talking about PAKE or
client certs or some other mechanism, we have two choices:

Either:

A) We begin to establish a new norm for client-authentication UX that
relies on unspoofable and easily-recognizable browser chrome (with some
sort of browser-chrome logout mechanism as well), and start training
users to distrust <input type="password"/> (perhaps at first on a
site-by-site basis), taking some serious UX control away from web site
designers.

 or:

B) We continue to let web sites drive the full UX decisions, and leave
users vulnerable to phishing attacks.

option (A) is seriously hard, maybe impossible given the state of the
web.  option (B) is terrible.

TLS can help this effort by making clear recommendations for how
cryptographically strong authentication can be used, and tailoring some
of those specifications for browsers that might want to use them.

Already, we have discussions in httpbis about some additional HTTP
mechanism so that the browser can trigger cryptographic use for client
authentication in the TLS layer, and a proposed client-cert extension to
make use of them:

 https://tools.ietf.org/html/draft-thomson-tls-care
 https://tools.ietf.org/html/draft-thomson-httpbis-catch

This should provide a way for web sites to have full control over their
unauthenticated UI and have well-specified mechanism that browser chrome
can use when presenting client-authentication activity to the user.  But
Thomson's proposed scheme targets the use of client-side certs, not
PAKE.  If you really want PAKE to work as well in the HTTP context, it
seems likely to have to think through the same cases.

Perhaps the drafts above need to be modified to provide for SRP or some
other PAKE as well as client-certs so that the same communications-flow
can be used in a PAKE context at the TLS layer?  If so, why would that
be a better outcome than using PAKE directly at the HTTP layer (e.g.
https://tools.ietf.org/html/draft-ietf-httpauth-mutual) ?

	--dkg

v2.23.0 | Report a Bug | By Email