Re: [TLS] is it good using password for authentication only?
"Bingzheng Wu" <bingzheng.wbz@alibaba-inc.com> Fri, 19 June 2015 08:19 UTC
Return-Path: <bingzheng.wbz@alibaba-inc.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC56D1A8725 for <tls@ietfa.amsl.com>; Fri, 19 Jun 2015 01:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_48=0.6, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzIkik7w2tRm for <tls@ietfa.amsl.com>; Fri, 19 Jun 2015 01:19:53 -0700 (PDT)
Received: from out4133-66.mail.aliyun.com (out4133-66.mail.aliyun.com [42.120.133.66]) by ietfa.amsl.com (Postfix) with ESMTP id 423751A871C for <tls@ietf.org>; Fri, 19 Jun 2015 01:19:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1434701992; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; bh=u6Gp5i3JDfs2BjnP777CPvcC6TuSEpAPhC3NA2BJODg=; b=xnEeD9CgQIXBVCbd8lWWoHH2F/ApKsGuweyyDO5MrVHYY3tg1LiUIKmi+nvcl/8MWH8ViO/Fwg7MtxFM14mgqY2MdlemqVcLWNYK2fhM+dUTaJRIj9OW07brB/PcASxL2SY+I2E8JXRlG+BG994kPEIWEFve9FMPeQPNefRMkwE=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R181e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=r41g03020; MF=bingzheng.wbz@alibaba-inc.com; PH=DS; RN=2; RT=2; SR=0;
Received: from ali074145n(mailfrom:bingzheng.wbz@alibaba-inc.com ip:42.120.74.187) by smtp.aliyun-inc.com(127.0.0.1); Fri, 19 Jun 2015 16:19:39 +0800
From: Bingzheng Wu <bingzheng.wbz@alibaba-inc.com>
To: Bingzheng Wu <bingzheng.wbz@alibaba-inc.com>, 'tls' <tls@ietf.org>
References: <----3-------MPf3-$e9162029-e7fe-4f8d-9805-569a4c7475b1@alibaba-inc.com>
In-Reply-To: <----3-------MPf3-$e9162029-e7fe-4f8d-9805-569a4c7475b1@alibaba-inc.com>
Date: Fri, 19 Jun 2015 16:19:38 +0800
Message-ID: <011401d0aa68$af6818e0$0e384aa0$@alibaba-inc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIpOz5ldmRkdleV+OrBFxoGmWrSs50CWOlw
Content-Language: zh-cn
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/e6aCNkx38g1htLJw8z4TNcTCYsk>
Subject: Re: [TLS] is it good using password for authentication only?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bingzheng Wu <bingzheng.wbz@alibaba-inc.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2015 08:19:55 -0000
Maybe I realize the problem. The PasswordVerify message is susceptible to offline dictionary attacks. Dose it become resistant to the attack if we add some secret generated from master-secret into the HASH? PasswordVerify = HASH(username, passward, handshake_message_hash, master-secret, label) This becomes involved with key-exchange, but it is not involved with any specific key-exchange method. It just need the key-exchange result. Bingzheng > -----Original Message----- > From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Bingzheng Wu > Sent: Thursday, June 18, 2015 11:08 AM > To: tls > Subject: [TLS] is it good using password for authentication only? > > Hi all, > > I have a question about authentication and key-exchange. > > TLS 1.3 removes RSA and DH static key-exchange, which mixs authentication > and key-exchange together. > However there are some PAKE models for TLS, e.g. RFC 5054 and 2 drafts. > I think that PAKE mixs them together too. > > Which is better, mixing them together, or keeping them independent to each > other? > Is it possible to use password for authentication only? > > > Here is a example handshake flow for password-based authentication: > > ClientHello > ClientKeyshare --> > ServerHello > ServerKeyshare > PasswordVerify > <-- Finished > PasswordVerify > Finished --> > > where: > > ClientHello takes an extension to carry username. > > PasswordVerify takes the verifier based on password, which could be: > HASH(username, passward, handshake_message_hash, label) > where handshake_message_hash is defined in TLS 1.3, > and label is "TLS 1.3, server PasswordVerify" or "TLS 1.3, client > PasswordVerify". > > and other messages keep the same with TLS 1.3. > > > This could work with Certificate authentication together, by server adding > Certificate and CertificateVerify messages following PasswordVerify, and client > verifying them both. > > > Is this ok? > > I think this makes it easier to merge passward-based authentication into TLS > 1.3. > > > Thanks in advance, > Bingzheng Wu > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] is it good using password for authenticatio… Bingzheng Wu
- Re: [TLS] is it good using password for authentic… Bingzheng Wu
- Re: [TLS] is it good using password for authentic… Bingzheng Wu
- Re: [TLS] is it good using password for authentic… Manuel Pegourie-Gonnard
- Re: [TLS] is it good using password for authentic… Thijs van Dijk
- Re: [TLS] is it good using password for authentic… Mike Hamburg
- Re: [TLS] is it good using password for authentic… Manuel Pegourie-Gonnard