Re: [websec] HTTP authentication: the next generation from Simon Josefsson on 2011-01-07 (ietf-http-wg@w3.org from January to March 2011)

From: Simon Josefsson <simon@josefsson.org>
Date: Fri, 07 Jan 2011 15:29:40 +0100
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, websec <websec@ietf.org>, Robert Sayre <sayrer@gmail.com>, "kitten\@ietf.org" <kitten@ietf.org>, "http-auth\@ietf.org" <http-auth@ietf.org>, "ietf-http-wg\@w3.org Group" <ietf-http-wg@w3.org>, Ben Laurie <benl@google.com>
Message-ID: <874o9kiy7f.fsf@latte.josefsson.org>

The initial paper contains a security analysis with some reduction-style
arguments:

http://srp.stanford.edu/ndss.html#SECTION00040000000000000000

As with any crypto document from that time, it will lack in how the
assumptions are stated and the reductions are made.  That considered, is
there something in particular that you think is missing in there?

We can fix the problem with lack of review by implementing and deploying
the protocol, then certainly researchers are bound to focus on it. ;-)

/Simon

Yaron Sheffer <yaronf.ietf@gmail.com> writes:

> Another issue is that SRP (as opposed to other protocols in this
> space) is not provably secure, and in fact has had relatively little
> cryptographic review, AFAIK. I would be glad to be proven wrong on the
> second point.
>
> Thanks,
> 	Yaron
>
> On 01/07/2011 01:57 PM, Simon Josefsson wrote:
>> One way to mitigate the dictionary attack problem is to do PBKDF#2
>> processing of the password before it hits TLS-PSK.
>>
>> However I agree that TLS-SRP have superior properties, and it is widely
>> implemented.  There is no practical reason to prefer TLS-PSK over
>> TLS-PSK for password-based TLS authentication.  One issue is that RFC
>> 5054 is Informational rather than Standards Track (same issue as for
>> TLS-OpenPGP), which is due to political reasons.
>>
>> /Simon
>>
>> Yaron Sheffer<yaronf.ietf@gmail.com>  writes:
>>
>>> [Culling down the mailing lists]
>>>
>>> Hi Ben,
>>>
>>> No, RFC 4279 should not be used with (a hash of) human-memorable
>>> passwords, because it would be vulnerable to dictionary attacks. See
>>> http://tools.ietf.org/html/rfc4279#section-7.2. SRP, EKE and similar
>>> schemes should be used instead.
>>>
>>> Thanks,
>>> 	Yaron
>>>
>>> On 01/06/2011 05:31 PM, Ben Laurie wrote:
>>> [...]
>>>
>>>>
>>>>
>>>> Two comments (one really being a response to Roy):
>>>>
>>>> 1. The IETF has fixed the problem, but no-one is using the fix - perhaps
>>>> because it is not clear that it is the fix. I speak of RFC 4279, TLS
>>>> pre-shared keys. These could be derived from a hash of the password and
>>>> the site name, for example, and thus provide secure mutual
>>>> authentication despite password reuse.
>>>>
>>> [...]

Received on Friday, 7 January 2011 14:31:23 UTC