Re: [TLS] JPAKE

2016-02-16 Thread Tony Arcieri 
On Tue, Feb 16, 2016 at 10:45 PM, Dan Harkins  wrote:

> What?!? How is that "better"? Having a "keychain" that loops in some
> vague "secure enclave" that makes authorization decisions based on some
> app deriving a "strong master secret from a weak password/pin" sounds
> complicated


Microsoft:
https://technet.microsoft.com/en-us/library/mt621546(v=vs.85).aspx
Matt Green: https://twitter.com/matthew_d_green/status/699777680728842240
Apple: https://www.apple.com/business/docs/iOS_Security_Guide.pdf (see
also: Matt Green)

Hardware interlocks around authentication allow various anti-brute force,
exponential backoff, and device wiping security measures. They also allow
you to unlock a "full entropy" cryptographic key with some low entropy
mechanism like a PIN without the former being deterministically derived
from the latter.

I personally believe the future of authentication is having a weak
credential which unlocks a strong credential on something you have. This
approach to authentication is generally described as "something you have
and something you know"

-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] JPAKE

2016-02-16 Thread Tony Arcieri 
On Mon, Feb 15, 2016 at 4:33 PM, Robert Cragie 
wrote:

> In Thread, it is used for local device authentication and authorisation.
> These use cases clearly benefit from a PAKE, i.e. getting deriving a shared
> cryptographic from a weaker shared password.
>

The better way to solve this problem is a device-specific "keychain", which
possibly loops in some sort of secure enclave for decrypting secrets, and
can authorize secret decryption based on the requesting app, derive a
strong master secret from a weak password/pin (possibly using a PUF for
anti-tamper). This is becoming a standard feature of the OSes on most
devices humans actually physically interact with, e.g. most smartphones,
tablets, and any OS you'd find on a laptop.

If you have this sort of keychain system, you can provision secrets
on-the-fly, e.g. origin-bound certificates. Now you don't need PAKE.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls