IETF Logo Mail Archive

Re: [TLS] User Defined Key Pair

"OMAR HASSAN (RIT Student)" <omh1835@rit.edu> Mon, 24 June 2013 21:29 UTC

Return-Path: <omh1835@g.rit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F13F11E8198 for <tls@ietfa.amsl.com>; Mon, 24 Jun 2013 14:29:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DRox92Z28UTx for <tls@ietfa.amsl.com>; Mon, 24 Jun 2013 14:29:34 -0700 (PDT)
Received: from sc3app27.rit.edu (sc3app27.rit.edu [129.21.35.56]) by ietfa.amsl.com (Postfix) with ESMTP id B776611E818B for <tls@ietf.org>; Mon, 24 Jun 2013 14:29:33 -0700 (PDT)
Received: from mail-ie0-f180.google.com (mail-ie0-f180.google.com [209.85.223.180]) by smtp-server.rit.edu (PMDF V6.3-x14 #31420) with ESMTPS id <0MOX00EOJ2D6JJ@smtp-server.rit.edu> for tls@ietf.org; Mon, 24 Jun 2013 17:29:32 -0400 (EDT)
Received: by mail-ie0-f180.google.com with SMTP id f4so24872107iea.25 for <tls@ietf.org>; Mon, 24 Jun 2013 14:29:30 -0700 (PDT)
Received: by 10.43.115.3 with HTTP; Mon, 24 Jun 2013 14:29:30 -0700 (PDT)
X-Received: by 10.50.36.10 with SMTP id m10mr6827356igj.31.1372109370825; Mon, 24 Jun 2013 14:29:30 -0700 (PDT)
X-Received: by 10.50.36.10 with SMTP id m10mr6827351igj.31.1372109370682; Mon, 24 Jun 2013 14:29:30 -0700 (PDT)
Date: Tue, 25 Jun 2013 00:29:30 +0300
From: "OMAR HASSAN (RIT Student)" <omh1835@rit.edu>
In-reply-to: <2A0EFB9C05D0164E98F19BB0AF3708C711B251EFFF@USMBX1.msg.corp.akamai.com>
Sender: omh1835@rit.edu
To: "Salz, Rich" <rsalz@akamai.com>
Message-id: <CALxQUYH-4HR7sO2jfxQnbro6+xM5hD_hdW-K_a-Esd9yiZ+oug@mail.gmail.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="089e013c69bca2d4bb04dfed1b22"
X-RIT-Received-From: 209.85.223.180
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=FUkzzdK7yZHiPZ2vGpdzDbYdPoG9CdV8RTnD34jHoKY=; b=YcDjqW4pr7IUNCiPyCnKS92nkYeggJhzXvEk0EQKfAUXJKumjdFM2iUQIJPxU/zHAL 1H2BRlDPPQvlQh77kgR4vBKMZWmX7OU6CbYJBqxRno+wdrflHK9b/apnAzXDLdnop9J9 QK/I1YkdL5mzTGU6CgdvpH3EUtCVFyBT+uzgjjYSp9at+OWJvB55sXNrD9MzZVmhWliU FkcSFUFEjhodUBTor7li9SlcI/uvfdC6by4IGmPErpkbiX4BidUhSWVSXMatSfAx8lZq 0xZbgYjfpAYRhxTu9ytdUnKVi4CI0QVZIfZLtv2XsSR6V6B2SNv/ER+OkugOFfPnuRhf zGNg==
X-Google-Sender-Auth: 9NTRMzerGOhlmFVHZAgFMtNUyJo
X-Gm-Message-State: ALoCoQktCZkda9y6EMGIuQaUU4oXVYn/FYekkH0bYeEvwgRV67otSPIePucBbMZaV9O78FLUsa63k+gUu8MrLcu2ueO1v1PQlkwZaNIqLURzkttvzS0XqbbfVlHl/2IMrH6atfRgL45y
References: <CALxQUYGdagDHr+A4EKN5qPD1jZG+dH8PHwb0-fKJVUN_vC1MSg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EE97@USMBX1.msg.corp.akamai.com> <CALxQUYGpcKPOAoZ8J56AoUGx8B3JhdmMche8MdQuqD_S=Y22ZQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EF0E@USMBX1.msg.corp.akamai.com> <CALxQUYF1=oFBk=WZFoey+28j7MV7YvSkAD-YzJSeQ0Dp7uXmEA@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EFFF@USMBX1.msg.corp.akamai.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] User Defined Key Pair
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2013 21:29:40 -0000

Hello Rich

When the user enrolls into one of those websites, and let's say he will go
with the second option of using a usb as a second factor authentication,
where the password is something he knows, and the usb is something he has.

when he plug the usb into the computer, the browser plugin will create a
random data stream and save it into a file in the usb, this file will be
passed to the genKeyPair function with the username and the password to
generate the key pair.

when the user tries to log in later into the website, he will plug the usb
into the computer and select that previously created file that will be
passed to the genKeyPair function with the username and the password to
generate the same key pair.

On the server the user public key will be used to encrypt the session key
pre-master that will be used by the browser and the server to generate the
session keys.

Self signed certificate is very dangerous because the user will not have a
way to verify the identity of the certificate owner and he could be a
victim to a man in the middle attack.


On Mon, Jun 24, 2013 at 9:34 PM, Salz, Rich <rsalz@akamai.com> wrote:

> **Ø  **and up to having a smart card, or hardware token that has large
> enough random seed that will work with the username and the password as
> a second factor authentication.****
>
> ** **
>
> That doesn’t seem to make sense – if you’re generating the keypair,
> predictably, from the inputs, how does a random seed enter into it?  And
> what is the second factor authentication in this situation?****
>
> ** **
>
> I’m starting to think you’re swimming out a little further into the deep
> end then you should.****
>
> ** **
>
> If you are trying to avoid CA’s, then why not just use self-signed
> certificates or similar like PGP?****
>
> ** **
>
>                 /r$****
>
> ** **
>
> --  ****
>
> Principal Security Engineer****
>
> Akamai Technology****
>
> Cambridge, MA****
>
> ** **
>

v2.23.0 | Report a Bug | By Email