RE: Passphrases in or out

>From: 	Christopher Allen[]
>At 12:43 PM -0700 8/2/96, Dan Simon wrote:
>>Okay, here's one thing:  they can't protect password-based
>>challenge-response transcripts with strong encryption while adhering to
>>export restrictions.  If the application is restricted to exportable
>>encryption, then it can't properly protect challenge-response pairs from
>>brute force attacks--first against the encryption, then against the
>Ok, so far this is the only requirement that I've seen that can't be done
>with TLS now.
>As summarize Dan's requirement, TLS while securing a transport using an
>exportable cypher (say RC4-40) would allow passphrases to be secured at a
>full (RC4-128) level. Thus if you were using FTP with SSL, the
>username/password could be sent at the high encryption level.
>However, again, is this really necessary? Since you have shared secrets,
>can't you use something like the APOP framework where you send a date, hash
>it with the password and send the hash back? Isn't that as secure (or more
>secure) as sending the password encrypted with RC4-128? And that can be
>done at the application level, and already exists in some form in a number
>of IETF protocols.

No, this is not as secure as strong protection of the password-based
response.  This method allows brute-force offline search for the
password; if the latter was poorly chosen, then it may be quite easy to
find.  Strong protection of the response with a key derived from a
public-key key exchange solves the problem.
>At 9:48 AM -0700 8/2/96, Keith Ball wrote:
>>I still havent seen any movement towards resolution.  The issues havent
>>changed substantially. So, how is this to be resolved?  I think Dan Simon's
>>suggestions are useful from our perspective, but I dont see any agreement
>>it will or will not be adopted.
>>1) How will this issue be resolved?  What happens when consensu doesnt
>>to be reached (or reachable) on the mailing list?
>I could be persuaded to drop my objections if there was the following:
>a) A concrete proposal, to the bits level, of how you can protect
>password-based challege-response bits at a higher level of encryption than
>the exportable SSL stream, and how this proposal fits into the the broader
>TLS protocol, and *DOESN'T* try to do more than this.

I presented exactly such a proposal in a brief post-meeting rump session
after the working group meeting in Montreal.  The text of it will be
posted to this list shortly.
>b) An evaluation of whether this couldn't better be done through another
>"standard" technique like APOP or some of the other AUTH frameworks at the
>application level, or by using some out-of-band technique.

My comments above, together with my response to Taher's email, hopefully
clear up this question.
>c) An evaluation of whether this really is exportable.

This is unfortunately a terribly touchy question, as exportability is
something of an empirical science.  As far as I know, there is no
official oracle which will rule on the exportability of a generic method
like a protocol, as opposed to a particular implementation.  However, I
expect that those who are familiar with export approval procedures will
agree that the method I have been advocating stands as good a chance as
any inexact science will allow.  :^)  
>d) Some comments on if adding a feature because of only US export issues
>that could impact security is acceptable.

Has anyone complained about the EXPORT cipher suites yet?
>e) Some other parties besides Netscape, MicroSoft, and CompuServe to speak
>up on the proposal.

Excellent idea--I encourage as many disparate voices as possible to come
>f) Some cryptographers to speak up on the proposal.

I believe I count as one (at least, that's what my business card says).
Bennet Yee could be considered another.  Taher would be a third.  I
would, of course, love to hear from more.  But then we should probably
have as many cryptographers as possible root through the entire TLS
protocol, not just the shared-key authentication feature.
>g) An "exit" strategy, so that we can be sure that this hack has a sunset,
>and that it would not be a requirement of TLS to always support this in the

I'm not sure what is meant by "a requirement of TLS to always support
this in the future".  Certainly, it was never anyone's intention to
force support for this feature on any implementer of TLS.  Given that
support for it would in any event be completely optional, I see no
reason to consider this feature any more or less permanent than, say,
support for the IDEA cipher.
>I'll summarize my objections so far:
>1) It is inelegant architecturally.

I've heard this complaint a number of times, and I've never understood
it.  If public-key-based client authentication belongs in TLS, then how
could shared-key-based client authentication belong anywhere else?  So
what if they work slightly differently--isn't architectural elegance a
matter of first locating functionality, then allowing alternate
mechanisms for providing that functionality to be inserted as needed?
>2) It serves a need that can be just as easily answered at the application
>protocol level.

See my comments above.
>3) I'm concerned about security issues (I'm not a cryptographer, so I can't
>say that it is not secure, only that I've not heard enough from them to
>feel more confident.)

As a cryptographer, I will freely grant that there are security risks
associated with shared-key authentication that don't exist in the
public-key case.  Unfortunately, in the real world, security is only one
of many concerns, and practical obstacles to public-key authentication
may in some cases outweigh the security advantages.  That is hardly a
rare occurence in cryptography; any cryptographer can identify dozens of
such concessions to practicality in the current TLS document, for
example.  Normally, cryptographers try to decide only the no-brainers
ourselves (getting rid of blatantly broken ciphers, for instance), and
provide enough information about the trickier trade-offs so that
cryptography's consumers, thus armed, can make informed choices.
>4) I'm concerned that it will delay implementation of client certificates.

My own view is that if anything, it will expedite the implementation of
client certificates.  But suppose that I'm wrong, and Christopher is
right--as John Macko has pointed out, what would it say about the
relative attractiveness of client certificates, if implementers, given
all the facts, still had to be bludgeoned into using client certificates
by a ban on the use of something they'd prefer if they had the option?

No, I believe that implementers, administrators and users will migrate
to client certificates when they decide that client certificates are
preferable to passwords.  (And I also believe that that day is not far
off.)  Trying to coerce them by rendering password-based schemes less
secure than they could be, on the other hand, will not only not convince
many people--it will also win us (the working group, the IETF, standards
bodies and cryptographers in general) enemies while weakening overall
Internet security.

				Daniel Simon
				Cryptographer, Microsoft Corp.


Received on Friday, 2 August 1996 20:14:57 UTC