[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] shared secrets from passwords

To: tls mailing list <tls@xxxxxxxx>, Mohamad Badra <badra@xxxxxxxx>
Subject: Re: [TLS] shared secrets from passwords
From: Yoav Nir <ynir@xxxxxxxxxxxxxx>
Date: Wed, 30 Jan 2008 10:09:57 +0200
Cc:
In-reply-to: <479F502B.2020202@xxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <479F502B.2020202@xxxxxxxx>

Several RFC's have such a recommendation. RFC 4306 (IKEv2) has thisconstruction to make a shared secret out of a password (section 2.15):


  prf(Shared Secret,"Key Pad for IKEv2")

The idea is that this shared secret has the properties that (a) itcan't be used for anything other than IKEv2 so storing it ispresumably OK (why?), and (b) it looks random. The RFC goes on tostate this:


                               As noted above, deriving the shared
  secret from a password is not secure.  This construction is used
  because it is anticipated that people will do it anyway.


On Jan 29, 2008, at 6:11 PM, Mohamad Badra wrote:

Dear all,

Is there any RFC with recommendations for deriving shared secretsfrom passwords?


Thanks!
--
Mohamad Badra
CNRS - LIMOS Laboratory



_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Scanned by Check Point Total Security Gateway.




_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] shared secrets from passwords
  - From: Florian Weimer
- Re: [TLS] shared secrets from passwords
  - From: Mohamad Badra

References:
- [TLS] shared secrets from passwords
  - From: Mohamad Badra

Prev by Date: RE: [TLS] password-based authentication (was: Some comments about draft-badra-ecdhe-tls-psk-01)
Next by Date: Next big market winner
Previous by thread: Re: [TLS] shared secrets from passwords
Next by thread: Re: [TLS] shared secrets from passwords
Index(es):
- Date
- Thread