IETF Logo Mail Archive

Re: [TLS] Fwd: New Version Notification for draft-barnes-tls-pake-04.txt

Tim Hollebeek <tim.hollebeek@digicert.com> Thu, 19 July 2018 14:10 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48A68130F72 for <tls@ietfa.amsl.com>; Thu, 19 Jul 2018 07:10:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1l_hAM7HNc4 for <tls@ietfa.amsl.com>; Thu, 19 Jul 2018 07:10:15 -0700 (PDT)
Received: from mail1.bemta24.messagelabs.com (mail1.bemta24.messagelabs.com [67.219.250.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB197130F06 for <tls@ietf.org>; Thu, 19 Jul 2018 07:10:14 -0700 (PDT)
Received: from [67.219.251.52] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-3.bemta.az-c.us-west-2.aws.symcld.net id 4D/D9-01615-5CB905B5; Thu, 19 Jul 2018 14:10:13 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTf0wbZRjHfXvX3m1QcxwwHiszWN2yQa6hGLG K6P7A2GkwRP8SXOZBD9pYDtIrPw1mKkECcyK0jHURGIMtENhcxUAmDFIYhHYZk2XLts4SsrlI QWQz0aAI3vVuKPfHk8/7/T7v8zzvm/dIjD5F6Eiu0sk5eNau1+zEbyUNxjMTJ3PyUodXkenn8 HHM5D6WaXo024AOYOah1gXC3N29pjK3XPDgOViu2sbnl1R+qLYeHavDS5fPoMr50/uOoPETqA HtJHHqKAZL/k1CWtBUkwo6hkZV8mIegbdnHm9AO0gNlQo3R6dVEsdRb0LX5gwmMUY9By0bdwm JY6l34Ua4Xsl5D75v6cJlfgVCtT0Rxqk9sBjqRhJrqUPQHHyglpvdRjDk8mokY4dY6O6nAbXE iNoFf/r7VXKzBLhzvyPCQMXBwo8BjczxsHhvQ8n/AL753afoehg8vUTIvBvmOhojZwZqjICBj nuKwcCq243JnA2djetqOSmI4Jfab5FsJEPQu6J0tsPm3LSi14B/dhyX+Rno+3JB4UsYnPv1fZ kTof5rv9IsqIH2eZ3ENGUBV59P04RSPP87nEfsjVGdCM66BjBP5JpiYObEfVxOyoXm79yYzMn gHggregqcObUk6qTI+2Hqun67TIj8KgxaZPVZcDUuEDKnQ93Vh5pOFNWHTPkOW5HVWcza7Iwx NZUxGtMY4wsmxvhiuoGtZgoMZQJTwQlOJs3AVggGoaq4wG4x8JzTi8Rn+YT4DaM1n8WHniJV+ nht9ew7efST+SWWKisrWA87yuyc4EOJJKkH7YgnJ4+OcXBFXGWhzS6+7cc2kNH6OG1AsrVCKV ss2Ipky4/eIFd6m5sxcjLkEuO1SFy57Bbj+m9ipHG+hOd0CdpWaTMlbbaW8VulH/85c2i3Lla LxGHp6FLOUWxzbvfDKIFE+litU6oSbeOdWxOExeFU4nBPf5wtDedk/7N0R5D3WMkPr5f2X5z0 WE/+dDjQvdFeM1wTs/j8/gufXT1U98UVV6FRaJje80fC58GMrB6i+qzw8tTBv+nEwqSRLHPRV yH+pYy2t44b9x5gPpqgHkSxE5tMeRuaaaNfK8xcC/+Vtrdu+Z/ZpU+mOnvPZ2HmkdxwMLPrVi ijmnm7jS+vqQ3occHKGpMxh8D+CxbLS0k0BAAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-12.tower-364.messagelabs.com!1532009409!1698591!1
X-Originating-IP: [216.32.180.21]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 20043 invoked from network); 19 Jul 2018 14:10:10 -0000
Received: from mail-sn1nam02lp0021.outbound.protection.outlook.com (HELO NAM02-SN1-obe.outbound.protection.outlook.com) (216.32.180.21) by server-12.tower-364.messagelabs.com with AES256-SHA256 encrypted SMTP; 19 Jul 2018 14:10:10 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eviE6uAihGmGgxnf4NQEA+c61NV9HNxkvEEpl1kT6/Q=; b=g3j0Hxb+04+YFKvgDZxBGq2FUlby6MqQBwdEFfzv0Hov3iNdy85uCT1+bUdOCcEnIxmUlT5SJrg2HCi6ViEJZRlhPSulbazprHnKa4sW73hC5u+DWbbyWXbv9Ltx2TnWGMt+krlaCPlNc6N0Gqj4d+mu4jMGwDIo/te8t+ORLcE=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1730.namprd14.prod.outlook.com (10.171.176.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.16; Thu, 19 Jul 2018 14:10:08 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::f861:ae59:39b3:8960]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::f861:ae59:39b3:8960%6]) with mapi id 15.20.0952.021; Thu, 19 Jul 2018 14:10:08 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>, Richard Barnes <rlb@ipv.sx>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Fwd: New Version Notification for draft-barnes-tls-pake-04.txt
Thread-Index: AQHUHrt4BgTH4X4ju02o9CBvtNNX4KSVnD6AgAD6YJA=
Date: Thu, 19 Jul 2018 14:10:08 +0000
Message-ID: <BN6PR14MB1106CA7FAAFBDE414FF4A6BE83520@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <153176915207.21824.6939177297174810137.idtracker@ietfa.amsl.com> <CAL02cgTYN=rQo8_ZiENs4ByWErgPn-u7x8pw9rePpZzhqFhwMQ@mail.gmail.com> <CADi0yUO4Th43FF+XVJQ1Tvsv_bmJJTWkNo2WYZ-jn8kBfGiSsA@mail.gmail.com>
In-Reply-To: <CADi0yUO4Th43FF+XVJQ1Tvsv_bmJJTWkNo2WYZ-jn8kBfGiSsA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [31.133.155.200]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1730; 6:suC4tZGPqC9ORWZ8wOHTo+uu3j2XgChfcr1Q5VjjZ8j4ofMAzeHTeeEktP1n8oIRJ7iFA7WIdUF+COVaiJDEgm41F0ALM9zwdy0ZGGAL7nJYgknZHMHrQvYgQO2OHp1jGv1NJYBhe90TZbVARLOycswIEo5I99n/4LDfxeCzyAbKAsUUuVRE5NmeS6QeLd3soBwRkW+tAf/aOtYpz3zbUynwQyq0SW8NhNi886qKomJAv431u11gUB6kAChj0W1ZqbN0W2KUf6bygdfVkmrdDc4wzHQX94Ajmc69EzY4egoW3sLWxcJf++R1I5MUVXEJxBO5HtHGFC3GvfbWKZgKDwCvXbg435QVUnB4TlkrKZEymtbbZj6xLWO5bulVTH35/UFX8aFhrm02b0hKMEiF6/19xsXeVhaK+NQzoh8djCivih8LVFb613DzD9iPH0sWb2cHzbqs0WRLg+mycELkxQ==; 5:ZEI4KlZZe3BWIGQg3qlRCnOJ0XWSDvCE6bofJQhHWw/Ualv9TBhT5y/pmEYh4SO0g846aQx2Wa527CIp4iM9UPCY/AEYjKmIxvMb713RoK5n0MMqOfbctKzg/qsROselmNFyN73fe08y1uqMK/FTZR2reVKj5x/PNa31OkT84xE=; 7:yoDUax/mle16RamRFcmIalMFADfrHKaAf+wK9kQv5dbAYcdWkV4sReHQGWL5Hsk6yKyhbKAzEBJfkkpH8nT75g0Tp3sgu6VS82BoUGY5n7uMuUx0O0hyav56slGja4yF7miuIue8p73UPL7mGuaUlb6h7IaZ4TUTnrltVURQEV/w4bk/CJ/pzwLyYziU9i+Q3Mj7kXeh1W6L86V8x3xwWjDixp8/MMhpfgyRrwUqIZdKwkUhrVElMgPRciYVJl7s
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a7ac8537-0384-47e3-b863-08d5ed815573
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1730;
x-ms-traffictypediagnostic: BN6PR14MB1730:
x-microsoft-antispam-prvs: <BN6PR14MB1730801C5DCC52A4E6A7C11583520@BN6PR14MB1730.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(120809045254105)(95692535739014)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(3002001)(93006095)(93001095)(10201501046)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:BN6PR14MB1730; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1730;
x-forefront-prvs: 0738AF4208
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39860400002)(396003)(136003)(346002)(376002)(189003)(199004)(22974007)(102836004)(99286004)(97736004)(74316002)(256004)(5250100002)(11346002)(186003)(44832011)(26005)(476003)(790700001)(68736007)(486006)(7736002)(14444005)(316002)(110136005)(446003)(53936002)(7110500001)(4326008)(3846002)(6116002)(53386004)(478600001)(606006)(2420400007)(966005)(25786009)(15650500001)(14454004)(6246003)(229853002)(2906002)(10710500007)(86362001)(81166006)(106356001)(2900100001)(551544002)(105586002)(5660300001)(81156014)(8936002)(8676002)(76176011)(6436002)(9686003)(6306002)(99936001)(53546011)(7696005)(236005)(66066001)(55016002)(14971765001)(54896002)(33656002)(6506007); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1730; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ziUnL8tyQDhb2Ht6SZtTVEqyih3IUBQQRfs4BQvnTibHZOoF3FxUX/pC0KCf+WrmCfdlKOVb47ibKAWn05fdXh9jB3ABl+x09Y/9/D+05on0PVLYHtq+CpmGRx0EJgJ3HgFsPlbfvEfA/Tldt7Cjz0RT7rQMhcvUowDw+nwLOOQLDzFDletCNNs8PoBcT+7kgcmS4K8FcFkjtaS2NEku6KuTvZe0ZvqBjoPsnKlI7rSq8PDVqt9x6IsJZm3iGeiCOPKnglr3HFauSW1OGzqCoy9z61Ab2XBuGTcM7gUT3BzDUat3PZrBO8hTexrhSaO9V3WqGyuzsgo0dJJfpR50TCFNoLfk2dTO2VP36d3hdfY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0085_01D41F48.A59C0940"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a7ac8537-0384-47e3-b863-08d5ed815573
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jul 2018 14:10:08.1910 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1730
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/f6pPAt_hJSL09jaDI3NTzk3NoQY>
Subject: Re: [TLS] Fwd: New Version Notification for draft-barnes-tls-pake-04.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 14:10:23 -0000

Unfortunately, I haven’t had time to review the document, but +1 for interesting problem, and +1 for anything Richard writes as a good starting point, even if I haven’t read it.

 

-Tim

 

From: TLS <tls-bounces@ietf.org> On Behalf Of Hugo Krawczyk
Sent: Wednesday, July 18, 2018 7:13 PM
To: Richard Barnes <rlb@ipv.sx>
Cc: <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] Fwd: New Version Notification for draft-barnes-tls-pake-04.txt

 

+1 for this work.

 

If you are one of those that think, as I did 20 years ago, that password authentication is dying and practical replacements are just around the corner, do not support this document. Otherwise, please do. 

 

Asymmetric or augmented PAKE (aPAKE) protocols provide secure password authentication in the common client-server case (where the server stores a one-way mapping of the password) without relying on PKI - except during user/password registration. Passwords remain secure regardless of which middleboxes or endpoints spy into your decrypted TLS streams.  The server never sees the password, not even during password registration. 

 

To see real deployment of such protocols, they need to be integrated with TLS which is what Barnes's draft facilitates. Not only this improve significantly the protection of passwords and password authentication, but aPAKE protocols also provide an hedge against PKI failures by enabling mutual client-server authentication without relying on regular server certificates.

 

Hugo

 

 

On Wed, Jul 18, 2018 at 1:18 PM, Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx> > wrote:

Hey TLS WG,

 

In response to some of the list discussion since the last IETF, Owen and I revised our TLS PAKE draft.  In the current version, instead of binding to a single PAKE (SPAKE2+), it defines a general container that can carry messages for any PAKE that has the right shape.  And we think that "right shape" covers several current PAKEs: SPAKE2+, Dragonfly, SRP, OPAQUE, ....

 

The chairs have graciously allotted us 5min on the agenda for Thursday, where I'd like to ask for the WG to adopt the document.  So please speak up if you think this is an interesting problem for the TLS WG to work on, and if you think the approach in this document is a good starting point.  Happy for comments here or at the microphone on Thursday!

 

Thanks,

--Richard

 

 

---------- Forwarded message ---------
From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> >
Date: Mon, Jul 16, 2018 at 3:25 PM
Subject: New Version Notification for draft-barnes-tls-pake-04.txt
To: Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx> >, Owen Friel <ofriel@cisco.com <mailto:ofriel@cisco.com> >




A new version of I-D, draft-barnes-tls-pake-04.txt
has been successfully submitted by Richard Barnes and posted to the
IETF repository.

Name:           draft-barnes-tls-pake
Revision:       04
Title:          Usage of PAKE with TLS 1.3
Document date:  2018-07-16
Group:          Individual Submission
Pages:          11
URL:            https://www.ietf.org/internet-drafts/draft-barnes-tls-pake-04.txt
Status:         https://datatracker.ietf.org/doc/draft-barnes-tls-pake/
Htmlized:       https://tools.ietf.org/html/draft-barnes-tls-pake-04
Htmlized:       https://datatracker.ietf.org/doc/html/draft-barnes-tls-pake
Diff:           https://www.ietf.org/rfcdiff?url2=draft-barnes-tls-pake-04

Abstract:
   The pre-shared key mechanism available in TLS 1.3 is not suitable for
   usage with low-entropy keys, such as passwords entered by users.
   This document describes an extension that enables the use of
   password-authenticated key exchange protocols with TLS 1.3.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org> .

The IETF Secretariat


_______________________________________________
TLS mailing list
TLS@ietf.org <mailto:TLS@ietf.org> 
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email