TLSSRP Next Steps

1
TLS/SRP Next Steps

• draft-ietf-tls-srp-10
• David Taylor
• Tom Wu
• Nikos Mavrogiannopoulos
• Trevor Perrin (presenter)
• IETF 64

2
Motivation

• Many protocols use passwords with TLS
• Client and server negotiate TLS using the
  servers certificate
• Client then sends password (or its hash)
  protected by TLS
• Theres room for improvement

3
Password protection

• If the client fails to negotiate a secure session
  to the correct server, the password (or hash)
  could be sent to an attacker
• Improvement Authenticate using the password but
  without sending it

4
Mutual authentication

• Handling certificates can be complicated for
  administrators, implementors, and users
• Improvement Use the password for mutual
  authentication so the server certificate is
  optional
• If server certificates are used, passwords
  provide a backup

5
Integration with TLS

• Adding password support to application protocols
  can be difficult for protocol designers
• May require modifying protocols in unanticipated
  ways
• May require non-security experts to deal with
  security issues (nonces, salts, channel binding,
  etc.)
• Secure password support in application layer may
  require redundant computations with TLS
• Improvement Integrate strong password
  authentication into TLS handshake

6
End result

• Client and server mutually authenticate with TLS
  using the clients password
• Without exposing the password or its hash
• Optionally using the servers certificate
• Increases usefulness of TLS by providing a
  packaged solution to a common problem

7
Secure password protocols

• Bellovin introduced the idea in 1992 with EKE and
  DH-EKE
• Since then, many proposals (SPEKE, SRP, PAK,
  etc.)
• This draft uses SRP-6
• SRP invented by Tom Wu in 1997
• Among most efficient and widely adopted
• Standardization ongoing in IEEE and ISO

8
Protocol messages compared to Ephemeral DH

• Client Hello (username)
• Server Hello
• Certificate
• Server Key Exchange (salt)
• Server Hello Done
• Client Key Exchange

9
Protocol messages compared to Ephemeral DH

• Client Hello
• Alert (missing_srp_username)
• Client Hello (username)
• Server Hello
• Certificate
• Server Key Exchange (salt)
• Server Hello Done
• Client Key Exchange

10
History of Draft

• Draft 00 in 03/01
• Draft 04 in 11/02 (SRP-6)
• Draft 05 in 06/03 (missing_srp_username)
• Draft 07 in 06/04 (updated to latest SRP-6)
• Draft 08 in 08/04 (aligned with P1363.2)
• Draft 09 in 03/05 (removed parameter validation)
• Draft 10 in 10/05 (polished text, final
  references)

11
Experience with draft

• 3 current implementations, 1 obsolete one
• OpenSSL patch by Peter Sylvester
• GnuTLS support by Nikos (draft author)
• Tlslite support by Trevor (draft author)
• Jessie support by Casey Marshall (obsolete)
• All interoperable and open-source

12
Discussion

• SHA-1 migration
• Hopefully a general TLS migration strategy would
  work for this draft (e.g., new ciphersuites, or a
  new extension)
• IPR
• Stanford licenses the SRP patent (6,539,479)
  under Royalty-Free terms
• Lucent and Phoenix have made IPR statements to
  the IETF about SRP
• At 11/2002 IETF meeting
• Minutes There was some discussion of the patent
  status with respect to SRP, and some reluctance
  to push it forward without some clarity.
• Jabber log jis informational now, maybe
  proposed standard when the IPR becomes clear.