Re: SPAKE, DTLS and passwords + aPAKE and SCRAM

From: Joseph Reynolds <jrey@linux.ibm.com>
To: Michael Richardson <mcr@sandelman.ca>,
	openbmc <openbmc@lists.ozlabs.org>
Subject: Re: SPAKE, DTLS and passwords + aPAKE and SCRAM
Date: Tue, 5 Oct 2021 10:24:59 -0500	[thread overview]
Message-ID: <a9a07a2a-c093-affa-9d90-bb04d82b9b05@linux.ibm.com> (raw)
In-Reply-To: <17277.1633384075@localhost>

On 10/4/21 4:47 PM, Michael Richardson wrote:
> Joseph Reynolds <jrey@linux.ibm.com> wrote:
>      > The planned IPMI over DLTS function will have certificate-based
>      > authuentication.
>
> Do you mean that the server will be authenticated with a certificate, or that
> it will use mutual authentication?
>
>      > For our use cases, we would like to add password-based
>      > authentication, and we want to do so as securely as possible, meaning what
>      > protocol we should use.  In particular, we want to know if we should avoid
>      > sending a “cleartext” password (tunneled over DTLS) to the server.
>
> If it can be avoided, yes.
>
> https://www.rfc-editor.org/rfc/rfc8125.html#section-3.1 suggests that all
> the PAKE candidates (whether balanced or augmented) satisfy this.
> I strongly suggest that a PAKE be used.
> The CHIP/MATTER IoT people are using
>     https://datatracker.ietf.org/doc/draft-bar-cfrg-spake2plus/
> although the IRTF CFRG hasn't adopted that document yet.  I don't know
> exactly where they are with it.  But, I expect you will find many libraries
> going forward.
>
Michael, thanks for your reply.  I got feedback from my people (but my 
skillset is too weak to interpret it):

Weakness of SRP (Secure Remote Password):
  - Server spoofing, there is nothing that prevents a server from being 
spoofed.
  - Widely adopted with very little proof of being cryptographically 
secure and has been shown vulnerable to pre-computation attacks 
  - No feasible way to check for password complexity in the protocol 
(true for most aPAKE - asymmetric Password Authenticated Key Exchange)
  - Some debate over if actually provides forward secrecy.

Recommendation to look at at OPAQUE aPAKE: 
https://blog.cloudflare.com/opaque-oblivious-passwords/

Suggestion to use SCRAM 
https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism

-Joseph

...snip...

>
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
>
>
>
>