September 20, 2013

TLS PSK, TLS SRP, and TLS JPAKE

As of time of this post, there are three common password based authentication for TLS:

  1. TLS-PSK (Pre-Shared Key), RFC 4279
  2. TLS-SRP (Secure Remote Password), RFC 5054
  3. TLS-JPAKE, implemented in OpenSSL, not in RFC (yet)
TLS-PSK uses the pre-shared key to generate the TLS premaster key, which is then used to generate master key and session key. It is the simplest one, but the user has to safeguard the PSK.

TLS-SRP is more secure, in that it only stores a password verifier value, not the password itself. It would be a nice upgrade to replace TLS-PSK. Unfortunately, some rumors about potential patent problems (although the authors of SRP, Stanford University, has grant free-use of the patent) prevent it from being adopted in a large scale. For example, Fedora, and therefore Redhat, removes TLS-SRP from its OpenSSL libraries because of this. (Fedora script that removes SRP from openssl). Given that RHEL is the de-facto standard for enterprise Linux, this makes it hard to use TLS-SRP in commercial environment.

TLS-JPAKE is somewhat similar in what it tries to achieve. However, there does not seem to be a standard RFC for it yet, so inter-operability is a question. Also, according to OpenSSL, J-PAKE is still experimental and not activated as default.

For now, we will have to stick to the old plain TLS-PSK, which is a well-defined standard and has been implemented widely. 

No comments:

Post a Comment