Re: [TLS] is it good using password for authentication only?
Mike Hamburg <mike@shiftleft.org> Sun, 19 July 2015 17:36 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60CC71B2AA0 for <tls@ietfa.amsl.com>; Sun, 19 Jul 2015 10:36:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Dssm2gzRGxK for <tls@ietfa.amsl.com>; Sun, 19 Jul 2015 10:36:22 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23CA31A0363 for <tls@ietf.org>; Sun, 19 Jul 2015 10:36:21 -0700 (PDT)
Received: from [192.168.1.102] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id C49B9F210A; Sun, 19 Jul 2015 10:31:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1437327090; bh=RKn2sMZoZwhAOdbUI39F2qmmPISKJG3k2eDijcVz+7Y=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=aJxigovoRSs/hEhLUBh+O3egeL/g0B6oBZDJbAa7+229ik7gdU5NSTLWrxJDz88Vk buwGly7cwksaeLxR1Xrx98rUAyFOHTPP2rA0dcxw7G8pdD9hYo4A2mGZb41q2pewEh My9RHYSxz1mRRduIHilpsmNQJZV2UDaLkuG+9myc=
To: Thijs van Dijk <schnabbel@inurbanus.nl>, Manuel Pegourie-Gonnard <mpg2@elzevir.fr>
References: <----3-------MPf3-$e9162029-e7fe-4f8d-9805-569a4c7475b1@alibaba-inc.com> <----3-------MPf3-$9050573e-2304-452c-9b77-668deaf79dd6@alibaba-inc.com> <55AB7A19.5030502@elzevir.fr> <CADGaDpG5D391SD4SNfy5f3_ZY0+Oj2ut4Wc04vTwnWxHxraOhQ@mail.gmail.com>
From: Mike Hamburg <mike@shiftleft.org>
Message-ID: <55ABE011.8000400@shiftleft.org>
Date: Sun, 19 Jul 2015 10:36:17 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <CADGaDpG5D391SD4SNfy5f3_ZY0+Oj2ut4Wc04vTwnWxHxraOhQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040603060201060105080202"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/sMQCk6rwQAdlwBKwEper_xKX-Og>
Cc: tls <tls@ietf.org>
Subject: Re: [TLS] is it good using password for authentication only?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2015 17:36:23 -0000
Also, it isn't too difficult to implement a PAKE. But there isn't a (known?) way to do it without adding rounds, if you want to protect the username. This is because the server needs the username before it can do anything with the password. Unless it has 0-RTT information the client can't encrypt the username before receiving the server's ephemeral share. So you need at least ClientHello -> <- ServerKeyshare PakeStuff -> <- PasswordVerify PasswordVerify, Finished -> (With other messages in there too of course, but these ones limit the round count with PAKE.) -- Mike On 7/19/2015 3:42 AM, Thijs van Dijk wrote: > Hi Manuel, > > On 19 July 2015 at 12:21, Manuel Pegourie-Gonnard <mpg2@elzevir.fr > <mailto:mpg2@elzevir.fr>> wrote: > > I'm probably wrong since I only thought about it for a few > minutes, but it seems to me that the PasswordVerify message would > be encrypted with (keys derived from) the handshake master secret, > which would prevent offline attacks. > > What am I missing? > > > The key observation is the following: (I mentioned this off-list a few > weeks ago, but I guess I'll post it here as well for posterity.) > > [T]he master secret will be derived from the client's and server's > respective KeyShare messages, and will therefore be known at the > time the server's PasswordVerify is sent. A malicious client could > therefore perform half a handshake (just enough to get the server > to give up its PV message), abort, and proceed with an offline > attack in its own time. > > I thought about switching the order in which server and client > send their PV, but in much the same manner this won't protect > clients from malicious servers. > > > -Thijs > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] is it good using password for authenticatio… Bingzheng Wu
- Re: [TLS] is it good using password for authentic… Bingzheng Wu
- Re: [TLS] is it good using password for authentic… Bingzheng Wu
- Re: [TLS] is it good using password for authentic… Manuel Pegourie-Gonnard
- Re: [TLS] is it good using password for authentic… Thijs van Dijk
- Re: [TLS] is it good using password for authentic… Mike Hamburg
- Re: [TLS] is it good using password for authentic… Manuel Pegourie-Gonnard