- From: David P. Jablon <dpj@world.std.com>
- Date: Sun, 09 Feb 1997 15:24:06 -0500
- To: Dan Simon <dansimon@microsoft.com>, ietf-tls@w3.org
[ Continued discussion of shared-key authentication for TLS
compares Bellovin & Merritt-style methods (DH-EKE, SPEKE, etc.)
to the randomized hash exchange in the Microsoft proposal
(passauth-00.txt). Includes a short review of the methods. -- dpj ]
At 01:36 PM 2/7/97 -0800, Dan Simon <dansimon@microsoft.com> wrote:
> I know of no sense in which our shared-secret authentication proposal is
> less secure than Bellovin-Merritt-style [EKE] authentication. ...
I'll show several ways that EKE methods can improve the
strength of your proposal. For one: EKE can block the
"name-spoofing" attack of Felton, etc.
> ... The major difference between the two is
> that our proposal ["HASH"] only authenticates *one*
> party (the TLS client) using the shared key; the other party (the TLS
> server) must still have a certified public key to authenticate. In
> Bellovin-Merritt-style ["EKE"] authentication,
> *both* sides authenticate using
> the same shared key. This second authentication actually *reduces* the
> security of the protocol; for example, *both* sides (not just the
> server) must guard against online brute-force attacks on the shared key.
> (On the "plus" side, it eliminates the need for one party to have a
> certified public key.)
Your analysis seems misleading. It blurs the distinction
between the shared-key techniques (HASH & EKE) by using
them in different systems. Head-to-head, EKE is always
stronger. I'll show two cases for a clearer comparison:
1) shared-key plus server "anonymous" public-key authentication,
2) shared-key with *no* stored PKs or certs on either side.
Case 1: Shared-key with anonymous public-key server auth.
----------------------------------------------------------
When the server first proves himself using public-key
authentication, EKE gives added proof of the server's
identity, where HASH does not. The public-key
just proves that the server is who he *claims* to be,
but with problems in the user-interface or user habits,
the server's name may be mistaken with an enemy's in
a "name-spoofing" attack.
With HASH, a single, short-lived, name-spoof permits an
unlimited off-line brute-force attack. This makes the
spoofer's job easier, since he doesn't have to sit in
the middle of a prolonged session to do damage.
With EKE, *nobody* gets to do an off-line dictionary attack,
not even a spoofer. The strong two-way proof of the
shared secret also gives direct confirmation of the server's
identity. This added proof may also be reassuring if
there are any doubts about the integrity of the public-key
"chain of trust".
You state that on-line brute-force attack against the
client "reduces the security of the protocol". But this
is blocked if the server is first PK-authenticated, and it
applies to HASH as well as EKE, or any other method
used to prove the client's knowledge. In any case,
client on-line attack requires many spoofing acts
(100's or 1000's?) against the user, who is likely get
suspicious or give up in frustration before the secret
is revealed.
Although Microsoft considers the "no certificate" case
unnecessary for their applications, maybe others would like
to see the comparison. (I wasn't sure if the current MS
proposal ruled out this case.)
Case 2: Shared-key with no public-keys or certificates
-------------------------------------------------------
A HASH method without anonymous public-key (or other)
assistance is as weak as the vulnerability of the
password to brute-force attack. Off-line attack is
possible for any eavesdropper.
An EKE method performs a *mutual* password verification
with no chance for off-line brute-force attack. Both
eavesdropper and other "man-in-the-middle" attacks are
blocked.
With both methods, direct bad guesses should be limited
by the server and by the client, as in all small-secret
proofs.
[Dan Simon:]
> We decided that for the applications we had in mind, requiring that the
> server obtain a certificate was not as problematic as worrying about
> attacks on the client. Of course, if people are very enthusiastic about
> having Bellovin-Merritt [EKE] two-way shared-key authentication as an
> option in TLS, then I would invite them to write up a proposal in
> Internet Draft form and submit it to the ietf-tls list. I, for one,
> would certainly not oppose its inclusion, provided it is incorporated in
> as secure a manner as possible.
As noted above, mutual EKE authentication even with
"anonymous" PK authentication has big advantages,
with no added risk.
In the "no PK" case, I think your worries about
on-line spoofing against the client can be largely
mitigated if the client software discourages too
many retries for access failures. Of course, if
you have certified PK's, you've got another strong
factor. In any case, I'm glad to hear that you're
open minded about it.
Quick review of EKE methods
---------------------------
For those unfamiliar with EKE-style methods, there
are actually several families of them.
In this example of SPEKE, P is the shared secret,
all exponentiation is done modulo a huge prime
m = 2q+1, q is also prime, and Ra, Rb are random
numbers.
Client creates Ra, sends P^(2 Ra)
Server creates Rb, sends P^(2 Rb)
Both compute K = P^(2 Ra Rb)
Server sends hash("server", K) [with prior message]
Client sends hash("client", K)
Each verifies that the other's hash is correct
to prove knowledge of P.
The P^(2 Rx) messages reveal nothing about P, due to the
difficulty of the discrete log problem.
Quick review of HASH methods
----------------------------
The "time-honored" HASH method is basically:
Server creates and sends Rb.
Client sends hash("client", Rb, P)
Server verifies the hash to prove knowledge of P.
This can be repeated in the reverse direction, but
either way it's open to an eavesdropper computing
brute-force trials of hash("client", Rb, X) offline.
Further refinement
------------------
There are also extensions to EKE-style methods where
the server stores a one-way hashed secret H(P), and
proves knowledge of P by the client. With
these extensions, theft of H(P) won't allow an
attacker to masquerade as a client, without first
completing a brute-force attack to get P.
This is scalable security that grows nicely
with the strength of P.
>>-----Original Message-----
>>From: David P. Jablon
>>Sent: Thursday, February 06, 1997 3:52 PM
>>To: ietf-tls@w3.org
>>Subject: Shared Secret Authentication
>>
>>Earlier threads on this list seem to have focused debate on
>>weak methods for password/passphrase/shared-secret authentication.
>>
>>Methods that are immune to unconstrained dictionary attack
>>have been around since 1992, from Bellovin & Merritt's EKE family
>>of protocols, to the SPEKE method developed by myself.
>>I find it curious that the debate has settled down upon
>>demonstrably weaker alternatives, as in the current drafts.
>>
>>I would suggest that the passauth-00.txt "Addition of
>>Shared Key Authentication" document be modified to use
>>strong password authentication. Presenting weak password
>>authentication as an alternative to strong public-key
>>methods seems sloppy.
[In retrospect, this wording was sloppy. I really found
passauth-00 to be clear and honestly written, even if
in need of improvement. -- dpj]
>>
>>I really prefer the combination of strong public-key AND
>>strong memorizable passwords, as two independent factors for
>>authentication ...
------------------------------------
David P. Jablon
Integrity Sciences, Inc.
Westboro, MA
Tel: +1 508 898 9024
http://world.std.com/~dpj/
E-mail: dpj@world.std.com
Received on Sunday, 9 February 1997 15:23:11 UTC