Re: [TLS] is it good using password for authentication only?

Thijs van Dijk <schnabbel@inurbanus.nl> Sun, 19 July 2015 10:42 UTC

Return-Path: <schnabbel@inurbanus.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85EB51AC406 for <tls@ietfa.amsl.com>; Sun, 19 Jul 2015 03:42:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.712
X-Spam-Level:
X-Spam-Status: No, score=-0.712 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6oCLybuEGOvn for <tls@ietfa.amsl.com>; Sun, 19 Jul 2015 03:42:24 -0700 (PDT)
Received: from mail-wg0-x236.google.com (mail-wg0-x236.google.com [IPv6:2a00:1450:400c:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07C021AC402 for <tls@ietf.org>; Sun, 19 Jul 2015 03:42:23 -0700 (PDT)
Received: by wgmn9 with SMTP id n9so110930199wgm.0 for <tls@ietf.org>; Sun, 19 Jul 2015 03:42:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inurbanus.nl; s=google-inurb; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=X4rL6BkqnBGPbQTF0xugSFMNpCn5+I0AJxpv7Lds9uQ=; b=oUmdIOVveNDQpkZvhqgSmb/2tX7QxVBZjvSv8aM7JMDhl8zasQTeBLJYCgs20IktVf MVgRton6F7vbyav45t8XbMjM1Yf234HLtXZ13aouPhEQpl7FgIOHs/o8s3m5Ru2bCfO0 rjyH+7tKUBx/bQtBaqX5uviODTmmoIOdv/VaQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=X4rL6BkqnBGPbQTF0xugSFMNpCn5+I0AJxpv7Lds9uQ=; b=MKqd0/dH9hNgviSoWulL3R2TSHfd5bFpVIIgJHbB7JDsWntFd4arJUDWvLEJPaQbD+ b3k48KD/pD7QLeSUA4ATynNThrE/8h5WLkKQIae/gEP3mO5wUg+hXzIr2rzKzf8Jh9Qw 15KG8dzliXkaF/OdSg0yzd7FE/2QnxXMX8wpA6bhBpULY6Ob1r7G9WWmrUvwFbHpgYwv HNNMs9dziLgxM2qCjb2W+In4r9PdoKawN8OJH5ZV5tR4gllCxtsj6FrYZwFpZobcHMQD f5glJxn9bE39t3vcVJUSWqxgVLHdmpnJPZBiAJG8Z1S6klK2oH5hD4o+rGVmeVAFZARg 8zSw==
X-Gm-Message-State: ALoCoQmGQ3PO9KID28ChseHFYN/gZgz0Wdt4QRPo6bsEfgrEYeUCALCdfDpSztxchwlz4hzD3nxx
MIME-Version: 1.0
X-Received: by 10.194.47.209 with SMTP id f17mr45397157wjn.39.1437302542643; Sun, 19 Jul 2015 03:42:22 -0700 (PDT)
Received: by 10.28.90.85 with HTTP; Sun, 19 Jul 2015 03:42:22 -0700 (PDT)
In-Reply-To: <55AB7A19.5030502@elzevir.fr>
References: <----3-------MPf3-$e9162029-e7fe-4f8d-9805-569a4c7475b1@alibaba-inc.com> <----3-------MPf3-$9050573e-2304-452c-9b77-668deaf79dd6@alibaba-inc.com> <55AB7A19.5030502@elzevir.fr>
Date: Sun, 19 Jul 2015 12:42:22 +0200
Message-ID: <CADGaDpG5D391SD4SNfy5f3_ZY0+Oj2ut4Wc04vTwnWxHxraOhQ@mail.gmail.com>
From: Thijs van Dijk <schnabbel@inurbanus.nl>
To: Manuel Pegourie-Gonnard <mpg2@elzevir.fr>
Content-Type: multipart/alternative; boundary=047d7b86df467d950e051b381363
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Vzh1XY-kJTUtN1eRCJ8wOJYYkYo>
Cc: tls <tls@ietf.org>
Subject: Re: [TLS] is it good using password for authentication only?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2015 10:42:25 -0000

Hi Manuel,

On 19 July 2015 at 12:21, Manuel Pegourie-Gonnard <mpg2@elzevir.fr> wrote:

> I'm probably wrong since I only thought about it for a few minutes, but it
> seems to me that the PasswordVerify message would be encrypted with (keys
> derived from) the handshake master secret, which would prevent offline
> attacks.
>
> What am I missing?


The key observation is the following: (I mentioned this off-list a few
weeks ago, but I guess I'll post it here as well for posterity.)

[T]he master secret will be derived from the client's and server's
> respective KeyShare messages, and will therefore be known at the time the
> server's PasswordVerify is sent. A malicious client could therefore perform
> half a handshake (just enough to get the server to give up its PV message),
> abort, and proceed with an offline attack in its own time.



I thought about switching the order in which server and client send their
> PV, but in much the same manner this won't protect clients from malicious
> servers.


-Thijs