Layering and Shared-key authentication

A lot of the arguments against shared secret client authentication
seem to be layering arguments. Specifically, the argument seems to 
be that shared secret style authentication properly belongs at the
application layer. While I feel that this argument has some force
in principle, it seems to me to be deeply problematic in this specific
case, for a number of reasons:

1. The security services that TLS provides to the application layer
are inadequate for this purpose. The obvious approach to layering
protocols which require shared secret authentication over TLS 
is simply to pass the shared secret directly over the TLS channel,
using TLS as TCP has always been used. However, in the common case, 
TLS application layer data is encrypted with a 40 bit keyspace,
which means that that's all the protection provided for the
shared secret. Consequently, we either have to accept this limitation
or the application needs to provide it's own protection for
the shared secret. 


2. Forcing applications to provide their own security argues against
the purpose of TLS. Much of the argument for TLS is that applications
can then be largely security oblivious while still taking advantage
of security services. While data confidentiality for the data on the
channel is important, there is a lot of historical evidence that the
primary security need for e.g. telnet is actually access control, not
data confidentiality, and this is typically provided via a shared secret.
If TLS can't serve this need in an adequate way, then securing them
will require a lot more work than just layering them on top of
TLS--at which point one might easily imagine providing an application
specific protocol which would meet that application's precise security
needs in a single package.


3. There are a large number of common internet protocols which require
shared secret style authentication, including but not limited to telnet,
the Berkeley r-protocols, NNTP under certain circumstances... So,
we're going to be reinventing this wheel a lot of times. This still
doesn't make it TLS's job, but it's hard to see who's job it is,
then.


4. We've already violated this layering boundary. Public key style
client authentication isn't really a necessary part of TLS service
provision and could be easily handled at the application layer. This
layering argument would be a lot more convincing if we hadn't
already gone against it.

-Ekr

Received on Tuesday, 8 October 1996 14:29:05 UTC