IETF Logo Mail Archive

Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?

"Ryan Sleevi" <ryan-ietftls@sleevi.com> Wed, 19 March 2014 16:13 UTC

Return-Path: <ryan-ietftls@sleevi.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 810901A07C3 for <tls@ietfa.amsl.com>; Wed, 19 Mar 2014 09:13:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.665
X-Spam-Level:
X-Spam-Status: No, score=-1.665 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, SPF_FAIL=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8NQ69X9ELKNZ for <tls@ietfa.amsl.com>; Wed, 19 Mar 2014 09:13:04 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (agjbgdcfdbgc.dreamhost.com [69.163.253.162]) by ietfa.amsl.com (Postfix) with ESMTP id C7C1E1A07C1 for <tls@ietf.org>; Wed, 19 Mar 2014 09:13:04 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id 4260C5840F7; Wed, 19 Mar 2014 09:12:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=AE09v+aZl5OX86P0W9Gx6j1zCBg=; b=r9twFwLFx1UfjARjf pOLtWUoVheso6w0xsSrI7geDrcXwDDTEYEOfEefWdHunKEumVH0KJKNSbxuYOtwp 9BrplvHnPrpPR0RrWEnzrotVBjhicZPLNrpPTNWw8P5eQ5C3qij5PllOSObJbnfG 197IeDILIjC5rLMgxDBPoGJcco=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPA id E98BD5840CA; Wed, 19 Mar 2014 09:12:55 -0700 (PDT)
Received: from 173.8.157.162 (proxying for 173.8.157.162) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Wed, 19 Mar 2014 09:12:56 -0700
Message-ID: <8add91ddc18f9364408651327523c891.squirrel@webmail.dreamhost.com>
In-Reply-To: <CALCETrV7_j3dLuaUeQ1pXM=fkrO9Q9svHSC=MaOXQA1nvAQHFQ@mail.gmail.com>
References: <53288C43.9010205@mit.edu> <5328B6DF.8070703@fifthhorseman.net> <5328C0C8.9060403@mit.edu> <6b79e0820d349720f12b14d4706a8a5d.squirrel@webmail.dreamhost.com> <CALCETrV7_j3dLuaUeQ1pXM=fkrO9Q9svHSC=MaOXQA1nvAQHFQ@mail.gmail.com>
Date: Wed, 19 Mar 2014 09:12:56 -0700
From: Ryan Sleevi <ryan-ietftls@sleevi.com>
To: Andy Lutomirski <luto@amacapital.net>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/kuVLI_4Zhr8GyeceZDTnprFhZP0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ryan-ietftls@sleevi.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 16:13:06 -0000

On Wed, March 19, 2014 8:43 am, Andy Lutomirski wrote:
>  On Tue, Mar 18, 2014 at 10:54 PM, Ryan Sleevi <ryan-ietftls@sleevi.com>
>  wrote:
> > On Tue, March 18, 2014 2:55 pm, Andy Lutomirski wrote:
[Snip]
> >>  I'd guess it's a chicken-and-egg problem.
> >
> > No. It's really not. It's a usability problem, and one that doesn't get
> > solved easily.
> >
> > It's not unique to TLS-SRP. It's just as applicable to TLS client
> > certificates.
> >
> > Browsers don't want it:
> > - It requires the browser implement a special (trusted) UI, since by
> > definition, it's the browser's responsibility to terminate TLS
> > connections.
>
>  I think that browsers should do *exactly* this.  There's already one
>  for the lock icon -- adding one for password entry seems like a
>  natural extension.  Even better: users who use such a thing don't need
>  to be nearly as careful about checking the actual URL before entering
>  their password.

Challenge: Go find a site using HTTP auth (of any form - BASIC, DIGEST,
etc), that wasn't built in the 1990s or a slow-moving SDO.

Ask them how they like it.

Answer: They don't. No site wants to use browser UI. It's a bad UX.

>
> >
> > Sites don't want it:
> > - Sites don't want to force browser UI on their users, they want to
> > control and customize the UI. They want to handle failures, not rely on
> > browsers that may or may not handle errors in the manner in which they
> > desire.
>
>  This can be fixed.

And the ocean can be boiled to power a giant steam engine. These are both
true statements, but both discount the huge efforts for the minimal gains
and real harm possible.

>
> >
> > Users don't want it:
> > - Users *like* sites' form-based authentication. It integrates easily
> > with
> > their mental model, provides easy avenues for trouble-shooting ("forgot
> > my
> > password", etc).
>
>  You're assuming that an augmented PAKE with a trusted UI can't do all
>  of that.  If a website could request a zero-knowledge proof of
>  knowledge of a secret, where the secret has this description next to
>  it and this set of extra buttons (the buttons would be plain links and
>  would *not* transmit the password), I think that everyone wins.  Heck,
>  the whole trusted dialog could be written in HTML and, as long as the
>  ability to submit forms were restricted and scripts were blocked, it
>  should just work.
>
>  Admittedly, this doesn't really fit in to my suggestion of doing it as
>  part of TLS key exchange.

Which was exactly my point.

>
> >
> > This is the exact same problem with client certificates.
> >
> > Both solutions (TLS-SRP and client cert auth) are trying to solve
> > application auth issues at the transport. This doesn't work well. Heck,
> > even GSSAPI doesn't have a good solution for this when authenticating to
> > sites with SPNEGO (although the ongoing work for cred UI is exciting
> > stuff).
> >
> > The real drive - of sites and of browsers - is trying to find ways to
> > give
> > sites as much control of the UI as possible, while simultaneously
> > reducing
> > the risk - of password breaches and security incidents. If you want to
> > see
> > the practical efforts to "solve" the phishing problem, look at stuff
> > like
> > http://fidoalliance.org/
>
>  That was actually my inspiration for suggesting this feature.  Suppose
>  you use a second factor (e.g. Fido U2F) device to authenticate to your
>  bank.  You've set a PIN "1234".  An attacker subsequently steals your
>  U2F device.
>
>  If the device is well designed, locks out the key after a few tries,
>  is suitably slow rejecting bad PINs, and is truly tamper proof, then
>  everything is OK.  But that's a big if.
>
>  The problem is that using ECDSA signatures or anything like then in a
>  second factor is the wrong approach, I think.  If a second factor
>  instead answered an augmented PAKE challenge, it could be implemented
>  in such a way that it wouldn't be able to distinguish a correct PIN
>  from an incorrect PIN.  Then the server could lock out the account
>  after a few tries, and an attacker wouldn't be able to usefully attack
>  the device even if they completely broke its tamper protection.
>
>  This is mostly outside the scope of the TLS WG, but I think that TLS
>  could do a lot to make this kind of thing easier.
>
>  --Andy
>

It's not a technological issue. It's a social/usability issue.

And the TLS WG is, arguably, one of the least suited of all WGs to solve
this.

v2.23.0 | Report a Bug | By Email