Re: [TLS] User Defined Key Pair

"OMAR HASSAN (RIT Student)" <omh1835@rit.edu> Fri, 12 July 2013 12:40 UTC

Return-Path: <omh1835@g.rit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE92A11E8110 for <tls@ietfa.amsl.com>; Fri, 12 Jul 2013 05:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.33
X-Spam-Level:
X-Spam-Status: No, score=-2.33 tagged_above=-999 required=5 tests=[AWL=-0.646, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MISSING_HEADERS=1.292, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YzkyUNnkZWxd for <tls@ietfa.amsl.com>; Fri, 12 Jul 2013 05:40:45 -0700 (PDT)
Received: from sc3app27.rit.edu (sc3app27.rit.edu [129.21.35.56]) by ietfa.amsl.com (Postfix) with ESMTP id C273011E8106 for <tls@ietf.org>; Fri, 12 Jul 2013 05:40:44 -0700 (PDT)
Received: from mail-ie0-f177.google.com (mail-ie0-f177.google.com [209.85.223.177]) by smtp-server.rit.edu (PMDF V6.3-x14 #31420) with ESMTPS id <0MPT003FVPVUOC@smtp-server.rit.edu> for tls@ietf.org; Fri, 12 Jul 2013 08:40:43 -0400 (EDT)
Received: by mail-ie0-f177.google.com with SMTP id aq17so19434981iec.8 for <tls@ietf.org>; Fri, 12 Jul 2013 05:40:42 -0700 (PDT)
Received: by 10.42.232.200 with HTTP; Fri, 12 Jul 2013 05:40:41 -0700 (PDT)
X-Received: by 10.43.137.65 with SMTP id in1mr12785614icc.103.1373632842055; Fri, 12 Jul 2013 05:40:42 -0700 (PDT)
X-Received: by 10.43.137.65 with SMTP id in1mr12785612icc.103.1373632841944; Fri, 12 Jul 2013 05:40:41 -0700 (PDT)
Date: Fri, 12 Jul 2013 15:40:41 +0300
From: "OMAR HASSAN (RIT Student)" <omh1835@rit.edu>
In-reply-to: <CALxQUYETFnCS0BHQrtCR-O6K48P0q2KitExLTkC5PBjNuPMCtQ@mail.gmail.com>
Sender: omh1835@rit.edu
Cc: "tls@ietf.org" <tls@ietf.org>
Message-id: <CALxQUYGL6HDZS1F5Ss3OyeoJqWwmm7N8qyxtUX_fdidHbFb9vQ@mail.gmail.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="001a11c2456e989df204e14fd122"
X-RIT-Received-From: 209.85.223.177
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:cc:content-type :x-gm-message-state; bh=AAuCoV/l41vcFFpfwdki4mrVReETers6boW6krcUfXQ=; b=ohGzkv3ngi6dcGP5goEMoM6wuntQIQCxcZwL83OizJ9b53e9Py1Amy+StfOqRBqu4r MzNhzukBcLD0rDYZaS1vNHQqerbNSgpyLvYCeqGG2k94UgcRXRmWZy8DdflGTnYIhGQv 0RNpq5ph3SaUTSbSeux/65mATE4SgvNdKOG+S2s6lHilai5gwDlVmt43rWN2AY4YNGN6 1f8jNsdGXMhC6/lPg9DiE/bMhFU9ER8p0hpp6Hao3gpoxiq22BiI8Cg86Dt+bhPdm4hJ 7T9Igte+HN+4P9g8VSlQXDggNFVKmThhDc/dIM6IXX2lhlxIYyMm0NrxC5nb1nuy/7rN Oo7Q==
X-Google-Sender-Auth: MkhoxjvRNnv97K73x0psXljvNPQ
X-Gm-Message-State: ALoCoQmWGA+ZWzYBrIqXlfLNj+ScWJ2221aH7nKu4fjlPdcYzBtxWu+etUatogpD7oCj816sx8apFqUJaMxCA5nYQR5FQcvatnLgTLck0pkuJ9ooV1nz6gVIMC7yRe8dZmyfLBZlAv7N
References: <CALxQUYGdagDHr+A4EKN5qPD1jZG+dH8PHwb0-fKJVUN_vC1MSg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EE97@USMBX1.msg.corp.akamai.com> <CALxQUYGpcKPOAoZ8J56AoUGx8B3JhdmMche8MdQuqD_S=Y22ZQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EF0E@USMBX1.msg.corp.akamai.com> <CALxQUYF1=oFBk=WZFoey+28j7MV7YvSkAD-YzJSeQ0Dp7uXmEA@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EFFF@USMBX1.msg.corp.akamai.com> <764a0c52c3800444b69cca4b5b26157c.squirrel@www.trepanning.net> <CALxQUYFwZ8WyFDmCebvLyHoqsOGNBuCaEjiWhZPx0QyExWzcrw@mail.gmail.com> <7648a5048f19c6f255dbc0cc5d7772d5.squirrel@www.trepanning.net> <CALxQUYETFnCS0BHQrtCR-O6K48P0q2KitExLTkC5PBjNuPMCtQ@mail.gmail.com>
Subject: Re: [TLS] User Defined Key Pair
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2013 12:40:49 -0000

Hi Alex,

* Password-authenticated

UDKP is key-authenticated, it's based on signing a message by the user's
private key, and getting it validated by the user's public key, which is
stored on the server.
That will make it easy for supporting TLS termination as mentioned in the
section 5.2 of the draft, which is not easy to be supported by the TLS-SRP,
and that's one of the reasons it's not yet implemented in browsers.

* Do not involve CAs at all

If it's to be used in the browsers for websites, it will have to depend on
CA to secure the registration of the user credential on the server, and
that is also the case with UDKP.

* Do not allow a compromised server to impersonate the user
    - Zero-knowledge password proofs are rather useful

If the server is compromised, offline and dictionary attack will be
possible against the verifier, the attack will be in the password entropy.
In UDKP the authentication is done using public/private key, the server
will only contains the public key which will not be useful to impersonate
the user. The key generation should be based on at least the password, and
the security question/answer pair, for applications that require more
security the key generation will be based on a file that the user will
select, or the key generation will be based on a smart card or a hardware
token (more details on that will be in the coming version of the draft).

* Are designed to work with TLS, rather than replace it wholesale
Actually I have been advised to make it compatible with TLS, and I am
thinking of that seriously.


Thank You
Best Regards



On Fri, Jul 12, 2013 at 2:37 PM, OMAR HASSAN (RIT Student)
<omh1835@rit.edu>wrote:

> Hi Dan,
>
> I believe that your protocol will better suit for customized applications,
> but when it comes to websites you will definitely face those issues that I
> took about.
>
>
>
> It's very common that a SQL injection attack against the website would
> give the attacker the opportunity to steal database records, which will
> allow the attacker to impersonate the client (I think TLS-SRP adds a little
> complexity to protect against that scenario, I am sure you can improve this
> part in your protocol)
>
>
>
> Also TLS termination is very important, and must be supported by the
> protocol, and the first challenge in that regard is that the load balancer
> where the TLS connection should be terminated will not have access to the
> server database, and I think without access to the server database you will
> not be able to terminate the encrypted connection.
>
>
>
> Regarding UDKP, I believe that the only valid attack against it is during
> the registration. In that case using an initial TLS authenticated
> connection will solve this issue, and for all later usages there is no need
> to be dependent on certificate authorities.
>
>
>
> In UDKP, if the server data has been stolen, the attacker will get only
> the public key, and he will not be able to impersonate the client as he
> will need the private key. And regarding TLS termination, the load
> balancer could use the user public key to terminate the encrypted
> connection, and the let the server authenticate the user. You can refer to
> section 5.2 in the draft:
>
> http://tools.ietf.org/html/draft-omar-tls-udkp-01#section-5.2
>
> In the coming version of the draft I will put a detailed analysis for the
> attack scenarios.
>
>
> On Thu, Jul 11, 2013 at 6:22 PM, Dan Harkins <dharkins@lounge.org> wrote:
>
>>
>>   Hi Omar,
>>
>> On Thu, July 11, 2013 2:42 am, OMAR HASSAN (RIT Student) wrote:
>> > Hi Dan,
>> >
>> > I had a quick look at your work item, and I have some questions:
>> >
>> > What will be the consequences if the server data has be stolen? will the
>> > attacker be able to impersonate as the user?
>>
>>   Successfully stealing records from the server's password file will
>> enable the thief to impersonate the client (back to the hacked server)
>> for all stolen records.
>>
>> > How will the password be stored in the server initially?
>>
>>   That is completely up to the server.
>>
>> > How will you handle TLS termination that is used many websites to
>> > centralize the related measurements and protection against the common
>> SSL
>> > attacks in one place, and to allow the application firewalls to validate
>> > and check the incoming requests for application-level attacks such as
>> SQL
>> > injection and cross-site scripting?
>>
>>   This is really an operational question. At the risk of sounding flippant
>> I guess I'd just say it will be handled in the best way possible.
>>
>>   You claim in your draft that "UDKP aims to completely replace the TLS
>> protocol." That is a much more ambitious goal and you will need to handle
>> these sorts of issues. The tls-pwd draft just defines certificate-less
>> ciphersuites that are resistant to dictionary attack (and are better than
>> the various PSK ciphersuites) for use with the existing TLS protocol.
>>
>>   regards,
>>
>>   Dan.
>>
>> > Thanks
>> >
>> >
>> >
>> > On Wed, Jul 10, 2013 at 8:49 PM, Dan Harkins <dharkins@lounge.org>
>> wrote:
>> >
>> >>
>> >> On Mon, June 24, 2013 11:34 am, Salz, Rich wrote:
>> >> [snip]
>> >> > If you are trying to avoid CA's, then why not just use self-signed
>> >> > certificates or similar like PGP?
>> >>
>> >>   Or why not use a protocol that is already a work item of the
>> >> TLS working group:
>> >>
>> >>      http://tools.ietf.org/html/draft-ietf-tls-pwd-00
>> >>
>> >>   Dan.
>> >>
>> >>
>> >>
>> >>
>> >
>>
>>
>