Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
"Ryan Sleevi" <ryan-ietftls@sleevi.com> Wed, 19 March 2014 05:54 UTC
Return-Path: <ryan-ietftls@sleevi.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CAD11A04B4 for <tls@ietfa.amsl.com>; Tue, 18 Mar 2014 22:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.335
X-Spam-Level:
X-Spam-Status: No, score=0.335 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_45=0.6, SPF_FAIL=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRJ0ju1R9pkl for <tls@ietfa.amsl.com>; Tue, 18 Mar 2014 22:54:57 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (agjbgdcfdbgc.dreamhost.com [69.163.253.162]) by ietfa.amsl.com (Postfix) with ESMTP id B3D2F1A04A6 for <tls@ietf.org>; Tue, 18 Mar 2014 22:54:57 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id 2E51A584057; Tue, 18 Mar 2014 22:54:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=mIf7aDytGchrE1/aC9mDsaHc9gM=; b=VR82ZBNntFuM4vlL7 TkmhXHa5a3kTop+N44ESB5kkVkhg13kUbX3f6Ic09psgb4m7N6QXUMu9oef+FHNk F07qqrq84w3ekLWVc4Rttq3fc9y2gdm6it5TtZAU2pi2bwGQfsCWM56qoKAJjJUZ KvR0mO/d4z20z+JhhdDuGapcMc=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPA id E8EA5584056; Tue, 18 Mar 2014 22:54:48 -0700 (PDT)
Received: from 173.8.157.162 (proxying for 173.8.157.162) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Tue, 18 Mar 2014 22:54:49 -0700
Message-ID: <6b79e0820d349720f12b14d4706a8a5d.squirrel@webmail.dreamhost.com>
In-Reply-To: <5328C0C8.9060403@mit.edu>
References: <53288C43.9010205@mit.edu> <5328B6DF.8070703@fifthhorseman.net> <5328C0C8.9060403@mit.edu>
Date: Tue, 18 Mar 2014 22:54:49 -0700
From: Ryan Sleevi <ryan-ietftls@sleevi.com>
To: Andy Lutomirski <luto@amacapital.net>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TVZAC0Q6tkBE0sZKZkUvH7z16Sw
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ryan-ietftls@sleevi.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 05:54:59 -0000
On Tue, March 18, 2014 2:55 pm, Andy Lutomirski wrote: > On 03/18/2014 02:13 PM, Daniel Kahn Gillmor wrote: > > > > Hi Andy-- > > > > Thanks for raising this question. > > > > On 03/18/2014 02:11 PM, Andy Lutomirski wrote: > >> 1. When clients authenticate with a password, if they send their > >> password to the wrong server, that server learns their password. > > > > I think you're talking about HTTP basic auth here, or IMAP AUTH=PLAIN, > > right? Other authentication mechanisms that are layered on top of TLS > > don't necessarily have the same concern. > > As far as I know, pretty much all authentication methods that layer on > top of TLS either have this problem or are, at the very least, > vulnerable to dictionary attack by a rogue server. Getting secure > augmented password-based authentication right is tricky, and I think > that TLS should offer this service. > > > > >> This > >> is the basis of most phishing attacks. (I'm ignoring TLS-SRP, which is > >> basically unused.) Since you raised "phishing" as your concern, I'm entirely responding within the context that you're talking about user-facing actions within the context of a web browser. I have yet to hear of a good mail client "phishing" attack (you *are* validating your IMAP certs, right?), so this seems almost predominantly an issue of attacker-controlled UI - that is, the web. > > > > TLS SRP's lack of use suggests that there is not a high pressure for > > deployment here. > > > > It's probably worth thinking some about why SRP adoption has been so > > slow (i don't know the global answer here, but i only know a few folks > > who are using it) > > I'd guess it's a chicken-and-egg problem. No. It's really not. It's a usability problem, and one that doesn't get solved easily. It's not unique to TLS-SRP. It's just as applicable to TLS client certificates. Browsers don't want it: - It requires the browser implement a special (trusted) UI, since by definition, it's the browser's responsibility to terminate TLS connections. Sites don't want it: - Sites don't want to force browser UI on their users, they want to control and customize the UI. They want to handle failures, not rely on browsers that may or may not handle errors in the manner in which they desire. Users don't want it: - Users *like* sites' form-based authentication. It integrates easily with their mental model, provides easy avenues for trouble-shooting ("forgot my password", etc). This is the exact same problem with client certificates. Both solutions (TLS-SRP and client cert auth) are trying to solve application auth issues at the transport. This doesn't work well. Heck, even GSSAPI doesn't have a good solution for this when authenticating to sites with SPNEGO (although the ongoing work for cred UI is exciting stuff). The real drive - of sites and of browsers - is trying to find ways to give sites as much control of the UI as possible, while simultaneously reducing the risk - of password breaches and security incidents. If you want to see the practical efforts to "solve" the phishing problem, look at stuff like http://fidoalliance.org/ There are still be opportunities to improve things within TLS - channel bindings being the most obvious issue at hand. Sites - and browsers - want assurances similar to client certs, but without all of the countless headaches (eg: Define a reasonable way to "Log Out" in the case of CCA when talking to a website, where you may have N parallel connections, which may have Y TLS sessions depending on timing, and which have a whole host of internal state full of spit-and-glue just trying to make CCA semi-usable for HTTP) I'm hard-pressed to find a use case for TLS-SRP in the context of the web, nor do we hear sites really clamoring for it, and an augmented PAKE is just same story, different day. If you're talking outside the context of the web, then maybe there's a use case, but my instinct is "meh". I think you'll be hard pressed to find anyone who really loves passwords or thinks we should encourage more of them.
- [TLS] Should TLS 1.3 use an augmented PAKE by def… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Anders Rundgren
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Peter Sylvester
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Paul Hoffman
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Robert Cragie
- [TLS] bootstrapping of constrained devices (was: … Rene Struik
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices (w… t.petch
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Max Pritikin (pritikin)
- Re: [TLS] bootstrapping of constrained devices (w… Don Sturek
- Re: [TLS] bootstrapping of constrained devices Robert Cragie
- Re: [TLS] bootstrapping of constrained devices Watson Ladd
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Dan Harkins