Re: [TLS] is it good using password for authentication only?

"Bingzheng Wu" <bingzheng.wbz@alibaba-inc.com> Fri, 19 June 2015 08:19 UTC

Return-Path: <bingzheng.wbz@alibaba-inc.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC56D1A8725 for <tls@ietfa.amsl.com>; Fri, 19 Jun 2015 01:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_48=0.6, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzIkik7w2tRm for <tls@ietfa.amsl.com>; Fri, 19 Jun 2015 01:19:53 -0700 (PDT)
Received: from out4133-66.mail.aliyun.com (out4133-66.mail.aliyun.com [42.120.133.66]) by ietfa.amsl.com (Postfix) with ESMTP id 423751A871C for <tls@ietf.org>; Fri, 19 Jun 2015 01:19:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1434701992; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; bh=u6Gp5i3JDfs2BjnP777CPvcC6TuSEpAPhC3NA2BJODg=; b=xnEeD9CgQIXBVCbd8lWWoHH2F/ApKsGuweyyDO5MrVHYY3tg1LiUIKmi+nvcl/8MWH8ViO/Fwg7MtxFM14mgqY2MdlemqVcLWNYK2fhM+dUTaJRIj9OW07brB/PcASxL2SY+I2E8JXRlG+BG994kPEIWEFve9FMPeQPNefRMkwE=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R181e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=r41g03020; MF=bingzheng.wbz@alibaba-inc.com; PH=DS; RN=2; RT=2; SR=0;
Received: from ali074145n(mailfrom:bingzheng.wbz@alibaba-inc.com ip:42.120.74.187) by smtp.aliyun-inc.com(127.0.0.1); Fri, 19 Jun 2015 16:19:39 +0800
From: "Bingzheng Wu" <bingzheng.wbz@alibaba-inc.com>
To: "Bingzheng Wu" <bingzheng.wbz@alibaba-inc.com>, "'tls'" <tls@ietf.org>
References: <----3-------MPf3-$e9162029-e7fe-4f8d-9805-569a4c7475b1@alibaba-inc.com>
In-Reply-To: <----3-------MPf3-$e9162029-e7fe-4f8d-9805-569a4c7475b1@alibaba-inc.com>
Date: Fri, 19 Jun 2015 16:19:38 +0800
Message-ID: <011401d0aa68$af6818e0$0e384aa0$@alibaba-inc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIpOz5ldmRkdleV+OrBFxoGmWrSs50CWOlw
Content-Language: zh-cn
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/e6aCNkx38g1htLJw8z4TNcTCYsk>
Subject: Re: [TLS] is it good using password for authentication only?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bingzheng Wu <bingzheng.wbz@alibaba-inc.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2015 08:19:55 -0000

Maybe I realize the problem. The PasswordVerify message is susceptible to
offline dictionary attacks.

Dose it become resistant to the attack if we add some secret generated from
master-secret into the HASH?

  PasswordVerify = HASH(username, passward, handshake_message_hash,
master-secret, label)

This becomes involved with key-exchange, but it is not involved with any
specific key-exchange method.
It just need the key-exchange result.


Bingzheng


> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Bingzheng Wu
> Sent: Thursday, June 18, 2015 11:08 AM
> To: tls
> Subject: [TLS] is it good using password for authentication only?
> 
> Hi all,
> 
> I have a question about authentication and key-exchange.
> 
> TLS 1.3 removes RSA and DH static key-exchange, which mixs authentication
> and key-exchange together.
> However there are some PAKE models for TLS, e.g. RFC 5054 and 2 drafts.
> I think that PAKE mixs them together too.
> 
> Which is better, mixing them together, or keeping them independent to each
> other?
> Is it possible to use password for authentication only?
> 
> 
> Here is a example handshake flow for password-based authentication:
> 
>   ClientHello
>   ClientKeyshare  -->
>                           ServerHello
>                           ServerKeyshare
>                           PasswordVerify
>                      <--  Finished
>   PasswordVerify
>   Finished       -->
> 
> where:
> 
>   ClientHello takes an extension to carry username.
> 
>   PasswordVerify takes the verifier based on password, which could be:
>       HASH(username, passward, handshake_message_hash, label)
>       where handshake_message_hash is defined in TLS 1.3,
>       and label is "TLS 1.3, server PasswordVerify" or "TLS 1.3, client
>       PasswordVerify".
> 
>   and other messages keep the same with TLS 1.3.
> 
> 
> This could work with Certificate authentication together, by server adding
> Certificate and CertificateVerify messages following PasswordVerify, and
client
> verifying them both.
> 
> 
> Is this ok?
> 
> I think this makes it easier to merge passward-based authentication into
TLS
> 1.3.
> 
> 
> Thanks in advance,
> Bingzheng Wu
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls