Another entry in the internet security hall of shame....
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Aug 29 06:23:55 EDT 2005
Dave Howe <DaveHowe at gmx.co.uk> writes:
>Nicolas Williams wrote:
>> Yes, a challenge-response password authentication protocol, normally
>> subject to off-line dictionary attacks by passive and active attackers
>> can be strengthened by throwing in channel binding to, say, a TLS
>> channel, such that: a) passive attacks are not possible, b) MITMs below
>> TLS get nothing that can be attacked off-line, and c) server
>> impersonators can be detected heuristically when the attacker can't
>> retrieve the password in real-time (such an attack is indistinguishable
>> from password incorrect situations, but...).
>
>Indeed. The main problem with TLS is lack of PKI support; in principle, this
>isn't true - TLS uses X509 certs, just like any other SSL based protocol - but
>in practice, everyone uses self signed certificates and nobody checks them or
>even caches them to see if they change.
TLS-PSK fixes this problem by providing mutual authentication of client and
server as part of the key exchange. Both sides demonstrate proof-of-
possession of the password (without actually communicating the password), if
either side fails to do this then the TLS handshake fails. Its only downside
is that it isn't widely supported yet, it's only just been added to OpenSSL,
and who knows when it'll appear in Windows/MSIE, Mozilla, Konqueror, Safari,
...
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list