[Security] channel bindings
ekr at rtfm.com
Wed Feb 11 09:06:44 CST 2009
On Wed, Feb 11, 2009 at 4:37 AM, Dave Cridland <dave at cridland.net> wrote
> This is the trick - you have a shared secret, agreed between the endpoints,
> in such a way that the MITM cannot know it.
> DIGEST-MD5 will prove that the endpoints which exchanged the shared secret
> are the same as the endpoints of the authentication.
> SCRAM - because it does Channel Binding - proves that *and* that the
> endpoints of the secure channel are also the same - this prevents there
> being a passive MITM.
> In a sense, this is all about ensuring that one channel has the security
> properties of another.
> I'm suggesting using SCRAM here a lot rather than making our own, primarily
> because making our own seems significantly more prone to error, and I'm
> anticipating that SCRAM will end up being a popular choice for a password
> mechanism on server and client alike anyway.
It's worth observing that if you're really going to standardize on one
based mechanism, it would be more efficient to simply use TLS-PSK or
rationale for channel bindings is to retain some existing application level auth
More information about the Security