On Mon, Dec 10, 2018 at 06:47:25PM -0500, Paul Wouters wrote: > On Mon, 10 Dec 2018, Nico Williams wrote: > > >There's no reason to not also add support for an augmented PAKE for road > >warriors. It's true that road warriors are already well-supported via > >PKIX user certificates > > That is still missing OTP support :(
If you have the private keys locked unextractably in a hardware token that requires a PIN to unlock, then you have two factors right there. That's not generic two-factor authentication though, and it certainly isn't OTP. > >, so perhaps there's no need, but it's very little > >extra work to support both, augmented and non-augmented. > > I'd want the PAKE method to support OTP. It's doable. > >(Should I be saying "balanced" instead of "non-augmented"?) > > Explaining these differences on this list would be useful for me and > possibly others. A PAKE is a zero-knowledge password proof protocol (ZKPP) that also provides authenticated key exchange with forward security. A ZKPP is a password-based authentication protocol where neither eavesdroppers nor active attackers get to mount off-line dictionary attacks on captured protocol material. I had never seen the word "balanced" used to refer to "not augmented", but I like it. A "balanced" PAKE is one where both sides share a secret or secret- equivalent. An "augmented" PAKE is a PAKE where the credentials are asymmetric so that relying parties (servers, acceptors, responders, whatever you call them) store "verifiers" rather than password-equivalent secrets. A verifier is much like a hash of a password: not password-equivalent, but susceptible to off-line dictionary attack. Compromise of shared secrets (via server compromise) is catastrophic for a balanced PAKE since until you're able to change all the secrets the attacker can impersonate all the users to the server. Compromise of verifiers (via server compromise) is much less disastrous for an augmented PAKE because you have some time in which to change all the weak secrets: the time it would take the attacker to recover passwords via off-line dictionary attack. The verifiers would all be salted, naturally, so if your secrets are reasonably strong then that might be a lot of time to change all those passwords. A balanced PAKE is symmetric as to initiator/responder roles. An augmented PAKE is not quite. The asymmetry in roles in augmented PAKEs means that in order to function as an IKE responder (and thus maintain IKE initiator/responder role symmetry), the IKE PAKE extension would have to permit one side to request that the other initiate the augmented PAKE exchange. Nico -- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
