Re: [TLS] User Defined Key Pair

"Dan Harkins" <dharkins@lounge.org> Thu, 11 July 2013 15:22 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09B4621F9B79 for <tls@ietfa.amsl.com>; Thu, 11 Jul 2013 08:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.265
X-Spam-Level:
X-Spam-Status: No, score=-6.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QH+Dqk463KUd for <tls@ietfa.amsl.com>; Thu, 11 Jul 2013 08:22:18 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id F178D21F9CAC for <tls@ietf.org>; Thu, 11 Jul 2013 08:22:15 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 769D3A888004; Thu, 11 Jul 2013 08:22:15 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Thu, 11 Jul 2013 08:22:15 -0700 (PDT)
Message-ID: <7648a5048f19c6f255dbc0cc5d7772d5.squirrel@www.trepanning.net>
In-Reply-To: <CALxQUYFwZ8WyFDmCebvLyHoqsOGNBuCaEjiWhZPx0QyExWzcrw@mail.gmail.com>
References: <CALxQUYGdagDHr+A4EKN5qPD1jZG+dH8PHwb0-fKJVUN_vC1MSg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EE97@USMBX1.msg.corp.akamai.com> <CALxQUYGpcKPOAoZ8J56AoUGx8B3JhdmMche8MdQuqD_S=Y22ZQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EF0E@USMBX1.msg.corp.akamai.com> <CALxQUYF1=oFBk=WZFoey+28j7MV7YvSkAD-YzJSeQ0Dp7uXmEA@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EFFF@USMBX1.msg.corp.akamai.com> <764a0c52c3800444b69cca4b5b26157c.squirrel@www.trepanning.net> <CALxQUYFwZ8WyFDmCebvLyHoqsOGNBuCaEjiWhZPx0QyExWzcrw@mail.gmail.com>
Date: Thu, 11 Jul 2013 08:22:15 -0700
From: Dan Harkins <dharkins@lounge.org>
To: "OMAR HASSAN (RIT Student)" <omh1835@rit.edu>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] User Defined Key Pair
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2013 15:22:23 -0000

  Hi Omar,

On Thu, July 11, 2013 2:42 am, OMAR HASSAN (RIT Student) wrote:
> Hi Dan,
>
> I had a quick look at your work item, and I have some questions:
>
> What will be the consequences if the server data has be stolen? will the
> attacker be able to impersonate as the user?

  Successfully stealing records from the server's password file will
enable the thief to impersonate the client (back to the hacked server)
for all stolen records.

> How will the password be stored in the server initially?

  That is completely up to the server.

> How will you handle TLS termination that is used many websites to
> centralize the related measurements and protection against the common SSL
> attacks in one place, and to allow the application firewalls to validate
> and check the incoming requests for application-level attacks such as SQL
> injection and cross-site scripting?

  This is really an operational question. At the risk of sounding flippant
I guess I'd just say it will be handled in the best way possible.

  You claim in your draft that "UDKP aims to completely replace the TLS
protocol." That is a much more ambitious goal and you will need to handle
these sorts of issues. The tls-pwd draft just defines certificate-less
ciphersuites that are resistant to dictionary attack (and are better than
the various PSK ciphersuites) for use with the existing TLS protocol.

  regards,

  Dan.

> Thanks
>
>
>
> On Wed, Jul 10, 2013 at 8:49 PM, Dan Harkins <dharkins@lounge.org> wrote:
>
>>
>> On Mon, June 24, 2013 11:34 am, Salz, Rich wrote:
>> [snip]
>> > If you are trying to avoid CA's, then why not just use self-signed
>> > certificates or similar like PGP?
>>
>>   Or why not use a protocol that is already a work item of the
>> TLS working group:
>>
>>      http://tools.ietf.org/html/draft-ietf-tls-pwd-00
>>
>>   Dan.
>>
>>
>>
>>
>