Re: [TLS] shared secrets from passwords

[Nelson B Bolyard <nelson at bolyard.com>]

Mohamad Badra <badra at isima.fr> wrote:
>> Is there any RFC with recommendations for deriving shared secrets from
>> passwords?

My recommendation would be to strongly advise TLS implementors against any
form of deriving shared authentication or encryption secrets from passwords.

One fact about shared secrets: If the users are humanly capable of giving
them away, they will do so.  The simplest way to get a user's password is
typically to simply ask him for it.  If the user's shared authentication
secret can be derived from a password, then the attack will be to get the
user to divulge his password to the wrong party.
(Here's a cute example: http://wdl.lug.ro/funny/pictures/credit.jpg )

A system in which the user cannot easily give away his shared authentication
secret, even if he wants to, because he does not have it in his head and he
cannot get his system to show it to him, will be much more secure than one
in which the shared secret itself can be given away from memory or by reading.

I suggest you consider a "two factor" system, wherein (say) the user's
password only serves to locally unlock/decrypt a local copy of a shared
secret that was previously generated from a random source, and where that
shared secret cannot be seen by the user.  The user can give away his password
but doing so will not, by itself, give away his shared authentication secret.



_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls