[loa-bof] "secure password" protocol info
Frank Siebenlist
franks at mcs.anl.gov
Wed May 9 05:49:23 CDT 2007
I promised to share links about these "secure password" protocols,
which are already supported in the last openssl version.
Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)
http://www.ietf.org/rfc/rfc4279.txt
The BIG advantage of this kind of protocol is that one doesn't need any
x509 certs on client and server to achieve mutual authentication...which
makes it an ideal bootstrap authN protocol.
Furthermore, there are many advantages over simple, less secure digest
authentication schemes, like no possible dictionary attacks on the
messages and such.
You should also be able to combine it with OTP to provide better
security against otp-hijacking if the otp protocol itself is not over a
secured channel (note that a secured channel again requires some
pre-configured server-cert).
In the LoA taxonomy, I believe that this secure password protocol
deserves its own mentioning as it takes the x509 server/proxy-certs and
CAs out of the trust chain.
Enjoy, securely yours, Frank.
PS. Some additional info:
The IEEE P1363 Home Page
Standard Specifications For Public-Key Cryptography
http://grouper.ieee.org/groups/1363/
Submissions to IEEE P1363.2
Submissions for Password-authenticated key agreement
http://grouper.ieee.org/groups/1363/passwdPK/submissions.html
Secure (One-Time-) Password Authentication for the Globus Toolkit
http://www.mcs.anl.gov/~franks/GW05/GW05-SecureOne-Time-PasswordAuthenticationForGT.ppt
Regards, Frank.
--
Frank Siebenlist franks at mcs.anl.gov
The Globus Alliance - Argonne National Laboratory
More information about the loa-bof
mailing list