Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

[Peter Sylvester <peter.sylvester@edelweb.fr>]

On 11/27/2013 06:09 PM, Bodo Moeller wrote:
>

> Given how draft-ietf-tls-pwd-02 specifies negotiation of domain parameters, I think that a 
> trapdoor-prime attack similar to the one I previously described for SRP applies 
> (https://groups.google.com/forum/#!msg/sci.crypt/JMcCA6FhTDk/e3BKt-CnvQkJ 
> <https://groups.google.com/forum/#%21msg/sci.crypt/JMcCA6FhTDk/e3BKt-CnvQkJ>).  It makes more
The server's ability to send arbitrary values for negotiation does not mean that the client blindly 
accepts them.

> sense to standardize domain parameters (allowing a selection of "named groups").
In the SRP code of OpenSSL for example, by default, the client accepts only a few groups, the one's 
from the RFC

  "names"  vs  actual values:
- syntactical sugar
- needs or doesn't some form of registration
- requires more or less data to be transmitted
- ...

One possible name for a value is "value", it is understood without any prerequisites, registration,
avoids name clashes.  the price is 500 octets, another "name" would be the hash of the
parameters, since/if they are known in advance.

> Full flexibility sounds nice at first, until you realize that it couldn't only be used by 
> legitimate protocol participants to select groups that they might deem more secure than whatever 
> is specified, but could also used by an attacker to select particularly bad groups (in particular 
> if the scenario doesn't provide for any authentication other than the password-based 
> authentication the protocol is meant to provide).
you wrote in your comment:
"but the adversary, when sitting in for the server, can send Alice the parameters for any 
well-formed group"

  The client can decide what it accepts as "well-formed".

>
> Bodo
Peter
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls