W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: [http-auth] [websec] HTTP authentication: the next generation

From: Tim <tim-research@sentinelchicken.org>
Date: Fri, 7 Jan 2011 09:42:13 -0800
To: Simon Josefsson <simon@josefsson.org>
Cc: websec <websec@ietf.org>, "kitten\@ietf\.org" <kitten@ietf.org>, "http-auth\@ietf\.org" <http-auth@ietf.org>, "ietf-http-wg\@w3\.org Group" <ietf-http-wg@w3.org>
Message-ID: <20110107174213.GA6792@sentinelchicken.org>
> One final addition here, the situation for PSK depends on the flavour
> and whether you are talking about active or passive attackers.  The
> statement is true for plain PSK, but less so for DHE_PSK and RSA_PSK.
> Section 7.2 of 4279:
>    For the PSK ciphersuites, an attacker can get the information
>    required for an off-line attack by eavesdropping on a TLS handshake,
>    or by getting a valid client to attempt connection with the attacker
>    (by tricking the client to connect to the wrong address, or by
>    intercepting a connection attempt to the correct address, for
>    instance).
>    For the DHE_PSK ciphersuites, an attacker can obtain the information
>    by getting a valid client to attempt connection with the attacker.
>    Passive eavesdropping alone is not sufficient.
>    For the RSA_PSK ciphersuites, only the server (authenticated using
>    RSA and certificates) can obtain sufficient information for an
>    off-line attack.

In the general case, I don't think it is useful to differentiate
between passive and active attackers.  Performing man-in-the-middle
attacks is no more difficult (in a big-O sense) than performing
passive attacks.  In almost every modern network, these attacks
require the same level of network access.

Just a pet peeve of mine.

Received on Friday, 7 January 2011 17:42:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:56 UTC