Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 19 March 2014 16:17 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E51D11A0705 for <tls@ietfa.amsl.com>; Wed, 19 Mar 2014 09:17:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_45=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99FQ7RV8w3ez for <tls@ietfa.amsl.com>; Wed, 19 Mar 2014 09:17:17 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id D47A61A06F7 for <tls@ietf.org>; Wed, 19 Mar 2014 09:17:16 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id hm4so5090771wib.2 for <tls@ietf.org>; Wed, 19 Mar 2014 09:17:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=vjDkQmrwRv1AICCEQuasjZzg0aY2FKTA4wp4ZLA/vBQ=; b=09Ic9bU0AygUaDNIIIgvejhIRnHhozEehdAR75b0t8uLeSNO/Q4jrlMVSWuEYoPG3G mttKqU9fZWQ1LuSkFw22QaKBFjyAd0Xg6uRz2JxDQjywcwQHPkLCdC/AMthGcXKGr0M2 Dypq8vcKpTxswU8mHwVjDTiVrtQVVVavHgl5wLvhC52KZ5MrfctjS4ZKa5eOmY7LoIBM SM5XHAEZi0Pj08JULrmaEwzQUgg1+cPLmE3JXLojuc3LT5bO5IxtA0MiEAlfXo0jV4GW qFwxeChwycHxYzgpb4yhAZGJwT1X8cPM3loCxYtPFSWE53zNR3BlhxHMkQaJIb472N+z EwEQ==
X-Received: by 10.194.120.101 with SMTP id lb5mr2648734wjb.74.1395245827682; Wed, 19 Mar 2014 09:17:07 -0700 (PDT)
Received: from [192.168.1.99] (188.110.176.95.rev.sfr.net. [95.176.110.188]) by mx.google.com with ESMTPSA id fq16sm57151914wjc.3.2014.03.19.09.17.05 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Mar 2014 09:17:06 -0700 (PDT)
Message-ID: <5329C2FD.2040909@gmail.com>
Date: Wed, 19 Mar 2014 17:17:01 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Andy Lutomirski <luto@amacapital.net>
References: <53288C43.9010205@mit.edu> <5328B6DF.8070703@fifthhorseman.net> <5328C0C8.9060403@mit.edu> <6b79e0820d349720f12b14d4706a8a5d.squirrel@webmail.dreamhost.com> <CALCETrV7_j3dLuaUeQ1pXM=fkrO9Q9svHSC=MaOXQA1nvAQHFQ@mail.gmail.com>
In-Reply-To: <CALCETrV7_j3dLuaUeQ1pXM=fkrO9Q9svHSC=MaOXQA1nvAQHFQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/rXVh42C0suwFN1vqZzYSDdLHBuE
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 16:17:19 -0000
On 2014-03-19 16:43, Andy Lutomirski wrote: > On Tue, Mar 18, 2014 at 10:54 PM, Ryan Sleevi <ryan-ietftls@sleevi.com> wrote: >> On Tue, March 18, 2014 2:55 pm, Andy Lutomirski wrote: >>> On 03/18/2014 02:13 PM, Daniel Kahn Gillmor wrote: >>>> >>>> Hi Andy-- >>>> >>>> Thanks for raising this question. >>>> >>>> On 03/18/2014 02:11 PM, Andy Lutomirski wrote: >>>>> 1. When clients authenticate with a password, if they send their >>>>> password to the wrong server, that server learns their password. >>>> >>>> I think you're talking about HTTP basic auth here, or IMAP AUTH=PLAIN, >>>> right? Other authentication mechanisms that are layered on top of TLS >>>> don't necessarily have the same concern. >>> >>> As far as I know, pretty much all authentication methods that layer on >>> top of TLS either have this problem or are, at the very least, >>> vulnerable to dictionary attack by a rogue server. Getting secure >>> augmented password-based authentication right is tricky, and I think >>> that TLS should offer this service. >>> >>>> >>>>> This >>>>> is the basis of most phishing attacks. (I'm ignoring TLS-SRP, which is >>>>> basically unused.) >> >> Since you raised "phishing" as your concern, I'm entirely responding >> within the context that you're talking about user-facing actions within >> the context of a web browser. I have yet to hear of a good mail client >> "phishing" attack (you *are* validating your IMAP certs, right?), so this >> seems almost predominantly an issue of attacker-controlled UI - that is, >> the web. >> >>>> >>>> TLS SRP's lack of use suggests that there is not a high pressure for >>>> deployment here. >>>> >>>> It's probably worth thinking some about why SRP adoption has been so >>>> slow (i don't know the global answer here, but i only know a few folks >>>> who are using it) >>> >>> I'd guess it's a chicken-and-egg problem. >> >> No. It's really not. It's a usability problem, and one that doesn't get >> solved easily. >> >> It's not unique to TLS-SRP. It's just as applicable to TLS client >> certificates. >> >> Browsers don't want it: >> - It requires the browser implement a special (trusted) UI, since by >> definition, it's the browser's responsibility to terminate TLS >> connections. > > I think that browsers should do *exactly* this. There's already one > for the lock icon -- adding one for password entry seems like a > natural extension. Even better: users who use such a thing don't need > to be nearly as careful about checking the actual URL before entering > their password. You want something like this? https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2012/05/18/intel-ipt-with-embedded-pki-and-protected-transaction-display Petty yucky stuff IMO. Anders > >> >> Sites don't want it: >> - Sites don't want to force browser UI on their users, they want to >> control and customize the UI. They want to handle failures, not rely on >> browsers that may or may not handle errors in the manner in which they >> desire. > > This can be fixed. > >> >> Users don't want it: >> - Users *like* sites' form-based authentication. It integrates easily with >> their mental model, provides easy avenues for trouble-shooting ("forgot my >> password", etc). > > You're assuming that an augmented PAKE with a trusted UI can't do all > of that. If a website could request a zero-knowledge proof of > knowledge of a secret, where the secret has this description next to > it and this set of extra buttons (the buttons would be plain links and > would *not* transmit the password), I think that everyone wins. Heck, > the whole trusted dialog could be written in HTML and, as long as the > ability to submit forms were restricted and scripts were blocked, it > should just work. > > Admittedly, this doesn't really fit in to my suggestion of doing it as > part of TLS key exchange. > >> >> This is the exact same problem with client certificates. >> >> Both solutions (TLS-SRP and client cert auth) are trying to solve >> application auth issues at the transport. This doesn't work well. Heck, >> even GSSAPI doesn't have a good solution for this when authenticating to >> sites with SPNEGO (although the ongoing work for cred UI is exciting >> stuff). >> >> The real drive - of sites and of browsers - is trying to find ways to give >> sites as much control of the UI as possible, while simultaneously reducing >> the risk - of password breaches and security incidents. If you want to see >> the practical efforts to "solve" the phishing problem, look at stuff like >> http://fidoalliance.org/ > > That was actually my inspiration for suggesting this feature. Suppose > you use a second factor (e.g. Fido U2F) device to authenticate to your > bank. You've set a PIN "1234". An attacker subsequently steals your > U2F device. > > If the device is well designed, locks out the key after a few tries, > is suitably slow rejecting bad PINs, and is truly tamper proof, then > everything is OK. But that's a big if. > > The problem is that using ECDSA signatures or anything like then in a > second factor is the wrong approach, I think. If a second factor > instead answered an augmented PAKE challenge, it could be implemented > in such a way that it wouldn't be able to distinguish a correct PIN > from an incorrect PIN. Then the server could lock out the account > after a few tries, and an attacker wouldn't be able to usefully attack > the device even if they completely broke its tamper protection. > > This is mostly outside the scope of the TLS WG, but I think that TLS > could do a lot to make this kind of thing easier. > > --Andy > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Should TLS 1.3 use an augmented PAKE by def… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Anders Rundgren
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Peter Sylvester
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Paul Hoffman
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Robert Cragie
- [TLS] bootstrapping of constrained devices (was: … Rene Struik
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices (w… t.petch
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Max Pritikin (pritikin)
- Re: [TLS] bootstrapping of constrained devices (w… Don Sturek
- Re: [TLS] bootstrapping of constrained devices Robert Cragie
- Re: [TLS] bootstrapping of constrained devices Watson Ladd
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Dan Harkins