Hi Peter, I completely agree with the rest of the argument. But I don't know of a realistic way to do it with TLS-PSK (people will *always* use short passwords, it's not like it's the exception to the rule). TLS-SRP is one possible solution. Or, as Yoav suggests, TLS-EAP with several alternatives, including EAP-PWD and EAP-EKE. In some interesting cases, EAP-AKA might also be appropriate.
Unfortunately the IAB thinks that TLS-EAP is Bad Bad Bad (http://tools.ietf.org/html/draft-iab-auth-mech-07#section-10.2.4). So it's back to PKI. Sigh. Thanks, Yaron > -----Original Message----- > From: pgut001 [mailto:pgut...@wintermute02.cs.auckland.ac.nz] On Behalf > Of Peter Gutmann > Sent: Friday, March 05, 2010 2:07 > To: pgut...@cs.auckland.ac.nz; u...@ll.mit.edu; Yaron Sheffer > Cc: c...@irtf.org; ipsec@ietf.org > Subject: RE: [IPsec] [Cfrg] Beginning discussion on secure password- > only authentication for IKEv2 > > Yaron Sheffer <yar...@checkpoint.com> writes: > > >Can someone please explain the joke to me? Nelson was asked about TLS- > PSK > >(RFC 4279) and he replied that it can easily be abused. TLS-PSK > (similarly to > >IKE- PSK) is vulnerable to dictionary attacks if used with a short > secret > >(a.k.a. "password"), at least in the presence of an active attacker. > So I > >think his response was entirely appropriate. What am I missing? > > Thinking through the rest of the argument, which is: > > - We currently have a (supposedly) multi-billion dollar global industry > built > around the total failure of the existing browser authentication > model. > > - Mutual authentication, in which the server has to prove knowledge of > the > user's credentials before the user can connect, would cause a serious > headache for phishers. > > - The FF developers have chosen not to implement this because, in the > special- > case situation where it's done really badly, it could theoretically > be > abused (note the special-case qualification of "if used with a short > secret", for which the answer is "well don't do that, then"). > > This is balanced against the currently-used model which pretty much > doesn't > work at all right out of the box, no matter what you do with it. > > - Phishers the world over breathe a sigh of relief, and business > continues as > usual. > > Peter. > > Scanned by Check Point Total Security Gateway. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
