[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] shared secrets from passwords

On Tue, 29 Jan 2008 20:16:42 -0800
Nelson B Bolyard <nelson@xxxxxxxxxxx> wrote:

> Mohamad Badra <badra@xxxxxxxx> wrote:
> >> Is there any RFC with recommendations for deriving shared secrets
> >> from passwords?
> 
> My recommendation would be to strongly advise TLS implementors
> against any form of deriving shared authentication or encryption
> secrets from passwords.
> 
> One fact about shared secrets: If the users are humanly capable of
> giving them away, they will do so.  The simplest way to get a user's
> password is typically to simply ask him for it.  If the user's shared
> authentication secret can be derived from a password, then the attack
> will be to get the user to divulge his password to the wrong party.
> (Here's a cute example: http://wdl.lug.ro/funny/pictures/credit.jpg )
> 
> A system in which the user cannot easily give away his shared
> authentication secret, even if he wants to, because he does not have
> it in his head and he cannot get his system to show it to him, will
> be much more secure than one in which the shared secret itself can be
> given away from memory or by reading.
> 
> I suggest you consider a "two factor" system, wherein (say) the user's
> password only serves to locally unlock/decrypt a local copy of a
> shared secret that was previously generated from a random source, and
> where that shared secret cannot be seen by the user.  The user can
> give away his password but doing so will not, by itself, give away
> his shared authentication secret.
> 
There are lots of ways to implement bad security; passwords are only
one.  See, for example, http://www.xkcd.com/364/.  Alternatively,
consider http://blog.wired.com/27bstroke6/2008/01/leaked-document.html
-- and remember Gene Spafford's famous line about using crypto on the
Internet with its very weak endpoints.

Past that, there's the human element.  Suppose people do use
client-side certificates.  The bad guys -- those who don't just hack
the client machine -- will implement MITM attacks, since people will
*not* validate the server's certificate properly
(http://research.microsoft.com/copyright/accept.asp?path=http://www.research.microsoft.com/sn/dss/papers/pip.pdf&pub=15).  

Perhaps more to the point, where will the secret key be stored?  I
regularly use five different (believed-to-be-secure) machines.  Which
should have the key?  If one of them is my work machine, does
management have access to the key?

I'd like passwords go go away, too.  I doubt that they will any time
soon.  Preshared secrets for TLS keys are much better than plaintext
passwords transmitted over TLS-protected connections -- and that's what
the issue here is.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls