Re: [TLS] is it good using password for authentication only?

Manuel Pegourie-Gonnard <mpg2@elzevir.fr> Sun, 19 July 2015 18:19 UTC

Return-Path: <mpg2@elzevir.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8005C1B2B84 for <tls@ietfa.amsl.com>; Sun, 19 Jul 2015 11:19:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.56
X-Spam-Level:
X-Spam-Status: No, score=-1.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xCtzSaIWwHOt for <tls@ietfa.amsl.com>; Sun, 19 Jul 2015 11:19:16 -0700 (PDT)
Received: from mordell.elzevir.fr (mordell.elzevir.fr [92.243.3.74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E88B71B2B7F for <tls@ietf.org>; Sun, 19 Jul 2015 11:19:15 -0700 (PDT)
Received: from thue.elzevir.fr (unknown [IPv6:2a01:e35:8a5d:80b0:be5f:f4ff:fe2c:95bc]) by mordell.elzevir.fr (Postfix) with ESMTPS id 501B81618A; Sun, 19 Jul 2015 20:19:14 +0200 (CEST)
Received: from [192.168.11.181] (unknown [88.208.109.142]) by thue.elzevir.fr (Postfix) with ESMTPSA id 41BF71FA1E; Sun, 19 Jul 2015 20:19:13 +0200 (CEST)
Message-ID: <55ABEA1F.6060601@elzevir.fr>
Date: Sun, 19 Jul 2015 20:19:11 +0200
From: Manuel Pegourie-Gonnard <mpg2@elzevir.fr>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Thijs van Dijk <schnabbel@inurbanus.nl>
References: <----3-------MPf3-$e9162029-e7fe-4f8d-9805-569a4c7475b1@alibaba-inc.com> <----3-------MPf3-$9050573e-2304-452c-9b77-668deaf79dd6@alibaba-inc.com> <55AB7A19.5030502@elzevir.fr> <CADGaDpG5D391SD4SNfy5f3_ZY0+Oj2ut4Wc04vTwnWxHxraOhQ@mail.gmail.com>
In-Reply-To: <CADGaDpG5D391SD4SNfy5f3_ZY0+Oj2ut4Wc04vTwnWxHxraOhQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/dTAfJNCpIDpa90UiWzzEwhQwd6g>
Cc: tls <tls@ietf.org>
Subject: Re: [TLS] is it good using password for authentication only?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2015 18:19:17 -0000

Hi Thijs,

On 7/19/15 12:42, Thijs van Dijk wrote:
> On 19 July 2015 at 12:21, Manuel Pegourie-Gonnard <mpg2@elzevir.fr> wrote:
>
>> I'm probably wrong since I only thought about it for a few minutes, but it
>> seems to me that the PasswordVerify message would be encrypted with (keys
>> derived from) the handshake master secret, which would prevent offline
>> attacks.
>>
>> What am I missing?
>
> The key observation is the following: (I mentioned this off-list a few
> weeks ago, but I guess I'll post it here as well for posterity.)
>
>> [T]he master secret will be derived from the client's and server's
>> respective KeyShare messages, and will therefore be known at the time the
>> server's PasswordVerify is sent. A malicious client could therefore perform
>> half a handshake (just enough to get the server to give up its PV message),
>> abort, and proceed with an offline attack in its own time.

Indeed. Thanks!

(And sorry for the noise, as expected.)

Manuel.