Re: [TLS] User Defined Key Pair

Robert Cragie <robert.cragie@gridmerge.com> Tue, 25 June 2013 08:25 UTC

Return-Path: <robert.cragie@gridmerge.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC92621F9412 for <tls@ietfa.amsl.com>; Tue, 25 Jun 2013 01:25:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SqUKISyxFywt for <tls@ietfa.amsl.com>; Tue, 25 Jun 2013 01:25:45 -0700 (PDT)
Received: from mail41.extendcp.co.uk (mail41.extendcp.co.uk [79.170.44.41]) by ietfa.amsl.com (Postfix) with ESMTP id B457721F9C31 for <tls@ietf.org>; Tue, 25 Jun 2013 01:25:40 -0700 (PDT)
Received: from [94.116.33.115] (helo=[10.38.240.171]) by mail41.extendcp.com with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) id 1UrOZ8-0003OF-R0 for tls@ietf.org; Tue, 25 Jun 2013 09:25:30 +0100
Message-ID: <51C953FC.7010802@gridmerge.com>
Date: Tue, 25 Jun 2013 09:25:32 +0100
From: Robert Cragie <robert.cragie@gridmerge.com>
Organization: Gridmerge Ltd.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: tls@ietf.org
References: <CALxQUYGdagDHr+A4EKN5qPD1jZG+dH8PHwb0-fKJVUN_vC1MSg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EE97@USMBX1.msg.corp.akamai.com> <CALxQUYGpcKPOAoZ8J56AoUGx8B3JhdmMche8MdQuqD_S=Y22ZQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EF0E@USMBX1.msg.corp.akamai.com> <CALxQUYF1=oFBk=WZFoey+28j7MV7YvSkAD-YzJSeQ0Dp7uXmEA@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EFFF@USMBX1.msg.corp.akamai.com> <CALxQUYH-4HR7sO2jfxQnbro6+xM5hD_hdW-K_a-Esd9yiZ+oug@mail.gmail.com> <F4FD7A8A-4801-46B3-87B1-5CB1FB0CDE55@iki.fi>
In-Reply-To: <F4FD7A8A-4801-46B3-87B1-5CB1FB0CDE55@iki.fi>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms000200070203070800000602"
X-Authenticated-As: robert.cragie@gridmerge.com
Subject: Re: [TLS] User Defined Key Pair
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert.cragie@gridmerge.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2013 08:25:50 -0000

+1. It would seem more appropriate to use a self-signed client 
certificate (which can be generated in a similar way from username and 
password etc.) in conjunction with a CA-signed server certificate for 
mutual authentication.

Some other points:

  * As the proposal has no server authentication, it is surely broken in
    that respect i.e. the client could be lured to any bogus website
    masquerading as a legitimate one. How would the client know?
  * Token = enc(ServerHello.random, PrivKey) : The concept of encrypting
    using a private key seems pointless. Don't you mean signing?


Robert


On 25/06/2013 08:56, Juho Vähä-Herttua wrote:
> This discussion forced me to take a look at the draft. The whole security of the system seems to be dependant on the security of the "browser plugin" and its key generation and encryption algorithms, which are not defined in the draft. I don't see how this could possibly be an interoperable standard as it is.
>
> On 25.6.2013, at 0.29, "OMAR HASSAN (RIT Student)" <omh1835@rit.edu> wrote:
>
>> When the user enrolls into one of those websites, and let's say he will go with the second option of using a usb as a second factor authentication, where the password is something he knows, and the usb is something he has.
> What if someone detects this enrollment and sends a new public key for the user before the user has time to fill all the fields? Sounds like a race condition to me.
>
>> Self signed certificate is very dangerous because the user will not have a way to verify the identity of the certificate owner and he could be a victim to a man in the middle attack.
> But at least the keys are generated using a truly random seed, instead of part of the seed being predictable (username, password, security question) which actually sounds worse to me.
>
> I don't see how this is different from generating a self signed client cert and verifying it with for example HMAC with username+password+question derived secret. If you already need a custom browser plugin to handle the login, you can put all your custom logic there and use standard TLS for the rest.
>
>
> Juho
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>