[cryptography] Request - PKI/CA History Lesson]

darkstar at city-net.com darkstar at city-net.com
Fri May 2 01:20:31 EDT 2014


[actually to the list this time...]
>> ZKPP has to be in the browser chrome, not on the browser web page.
>
> This seems obvious, but experiments show users do not understand it.
> We have yet to find a satisfactory answer to a trusted path for
> ordinary users.

[some thoughts first, real question at the end]

  While not itself a full solution, it seems to me like this really needs
to be integrated into the OS (although I think these same basic ideas
could be applied at the application level as well, just less reliably).
It seems to me that the only time a password should be used at all is
user login; after that, the OS should generate random certificates to
use for authentication and multiple identities should require using
multiple user accounts.  The login password itself should be useless
without data not available to the logged in user, so that the trused
path must be used to switch users and there would be no su(do) or "click
yes to use administrator privileges".  Most users don't need remote
login of arbitrary users, so (with some disk encryption) this would at
least leave phish-and-steal-the-device as the possible user-level attack
vector (of course, in many cases just stealing credentials would be
easier and more valuable but with the user not directly interacting with
credentials this would mostly mean remote code execution).  If changing
users is a necessary part of using the system and it only works if you
do it right, users will necessarily learn to use the trusted path and
the chance of phishing would hopefully be minimal.  New logins should
start from the configured system state rather than restoring state to
prevent "look like you entered your password wrong" phishing (this
startup state would need to be only configurable external to the
particular user, from a system management account).  Then make it easy
to configure user accounts to do particular tasks, such as start a
browser that connects to your bank and logs you in.  To the extent that
you want to separate remote credentials from each other, you would do
that via separate local accounts.  System management should make it
possible to share or move credentials between user accounts (copy too
for advanced users).

  This still leaves a few issues: to make it workable, there needs to be
some method of multiple simultaneous logins with user switching, which
could then be subject to phishing.  Sessions could be "detached" with a
single console user and a simple command/action to connect to the
detached session after login, which goes to the default setup that
confirms you logged in correctly.  For most users, this could just be
the system displaying "login successful" with some time delay (and cute
animation) before restoring the session.  Also the algorithms used would
need to be local cross user (timing attack, etc.) safe.

  The main reson I can think of to want to be able to directly login to a
remote system with a password you can remember is to be able to access
an account via a random (but hopefully presumed to be trustworthy)
system using only the contents of your memory.  There are various
options here but for now I'll leave it at saying that this is something
that users often want to be able to do so there should be some way to do
it but IMO it shouldn't usually be the default much less only option.
Users should generally not need to do more than say "yes, I want to
create authenticaiton credentials with this site" (with the option to
bootstrap with externally provided credentials that might have e.g. been
paper mailed to the user, which I suppose is another use case of
passwords the user can enter reasonably easily).  The credentials
themselves would be stored by the OS not the particular application (but
might be tagged to be for a particular application).

  Anyway, those are my thoughts but I mostly wanted to ask if there is a
particular well described, patent free, and ready to implement
(considered safe) ZKPP + PAKE system that folks would recommend?  Are
there significant issues beyond tradition that has prevented wider
adoption?  Why wasn't SRP more widely used?

-Matt





More information about the cryptography mailing list