[TLS] is it good using password for authentication only?

"Bingzheng Wu" <bingzheng.wbz@alibaba-inc.com> Thu, 18 June 2015 03:07 UTC

Return-Path: <bingzheng.wbz@alibaba-inc.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0DE81ACE4F for <tls@ietfa.amsl.com>; Wed, 17 Jun 2015 20:07:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.3
X-Spam-Level: *
X-Spam-Status: No, score=1.3 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_48=0.6, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wl2HB0KM7maR for <tls@ietfa.amsl.com>; Wed, 17 Jun 2015 20:07:37 -0700 (PDT)
Received: from out4133-34.mail.aliyun.com (out4133-34.mail.aliyun.com [42.120.133.34]) by ietfa.amsl.com (Postfix) with ESMTP id 192DB1ACE42 for <tls@ietf.org>; Wed, 17 Jun 2015 20:07:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1434596855; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type; bh=OeGAgohX7ZVYVHJLo8PoAfWdtXRINAziNTokoVkZiWA=; b=LdYch8stJpV7JH+c424aZnl43QO2ar4Njz6VF1U3BnC0qGjlPymxMf+gLhXnCU2ZKir9iR3TZv4CTMaqTn5y9rxDDxt82NNJKbuxPBOPPs2+/mXAkff0iVDH7d6omNi5SE+9q6V0NWRcH4rNUVo7WN8zF4wrPdWQSaAzKUmMriQ=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R191e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=r41g03020; MF=bingzheng.wbz@alibaba-inc.com; PH=DW; RN=1; RT=1; SR=0;
Received: from WS-web (bingzheng.wbz@alibaba-inc.com[42.120.74.183]) by r41g03021.xy2.aliyun.com at Thu, 18 Jun 2015 11:07:34 +0800
Date: Thu, 18 Jun 2015 11:07:34 +0800
From: "Bingzheng Wu" <bingzheng.wbz@alibaba-inc.com>
To: "tls" <tls@ietf.org>
Message-ID: <----3-------MPf3-$e9162029-e7fe-4f8d-9805-569a4c7475b1@alibaba-inc.com>
X-Mailer: Alimail-Mailagent revision 2696742
MIME-Version: 1.0
x-aliyun-mail-creator: W4_2697534_hLSTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzQzLjAuMjM1Ny4xMjQgU2FmYXJpLzUzNy4zNg==2I
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/gxFsPdwXNNZYZPwYlEifbdYb9zE>
Subject: [TLS] =?utf-8?q?is_it_good_using_password_for_authentication_only?= =?utf-8?q?=3F?=
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bingzheng Wu <bingzheng.wbz@alibaba-inc.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2015 03:07:38 -0000

Hi all,

I have a question about authentication and key-exchange.

TLS 1.3 removes RSA and DH static key-exchange, which mixs authentication
and key-exchange together.
However there are some PAKE models for TLS, e.g. RFC 5054 and 2 drafts.
I think that PAKE mixs them together too.

Which is better, mixing them together, or keeping them independent to each other?
Is it possible to use password for authentication only?


Here is a example handshake flow for password-based authentication:

  ClientHello
  ClientKeyshare  -->
                          ServerHello
                          ServerKeyshare
                          PasswordVerify
                     <--  Finished
  PasswordVerify
  Finished       -->

where:

  ClientHello takes an extension to carry username.

  PasswordVerify takes the verifier based on password, which could be:
      HASH(username, passward, handshake_message_hash, label)
      where handshake_message_hash is defined in TLS 1.3,
      and label is "TLS 1.3, server PasswordVerify" or "TLS 1.3, client
      PasswordVerify".

  and other messages keep the same with TLS 1.3.


This could work with Certificate authentication together, by server adding
Certificate and CertificateVerify messages following PasswordVerify, and
client verifying them both.


Is this ok?

I think this makes it easier to merge passward-based authentication into TLS 1.3.


Thanks in advance,
Bingzheng Wu